[ckan-dev] Invalidate session on the server, is this even possible?

Tue Feb 17 15:07:43 UTC 2015

Hi Stefan,

You are correct. The session isn't invalidated server-side.

Like many sites that use cookie-based authentication, CKAN is potentially
vulnerable to a some forms of attack if additional steps aren't taken to
provide additional security.

The latest version of ckan, due for release soon (2.3), has exposed a
number of settings to help prevent these attacks[1]:

* Secure flag - this forces the cookie to only be transmitted over https,
and mitigates the man-in-the-middle attack (as demonstrated by firesheep).
If set, an attacker would need physical access to your machine to clone
your auth cookie.
* HttpOnly flag - helps to prevent XSS attacks by preventing DOM access to
cookies
* timeout - if set, this decreases the window of opportunity for an attack
to occur - note this is separate from the expires value on the auth_tkt
cookie itself.

[1]
http://docs.ckan.org/en/latest/maintaining/configuration.html#repoze-who-settings

I hope this helps to clarify things,

Brook

On 15 February 2015 at 21:55, Stefan Oderbolz <stefan.oderbolz at liip.ch>
wrote:

> We already use HTTPS, so yes it is mitigated that way. But still: an
> attacker could steal the cookie (in what way ever), and the user
> should be able to "logout" and thus end this very session. The part I
> don't understand is, that the auth_tk thingy seems to depend
> completely on the session cookie on the client side, where is this
> information on the server?
>
> - Stefan
>
> On Fri, Feb 13, 2015 at 11:42 AM, Alex (Maxious) Sadleir
> <maxious at gmail.com> wrote:
> > Just tried doing a login/logout/login on demo.ckan.org and it did
> > rotate the auth_tkt. I don't know if you can have a maximum lifetime
> > of an auth_tkt though.
> >
> > https://en.wikipedia.org/wiki/Firesheep demonstrated that it's
> > possible to take cookies from other users on a wireless network and
> > impersonate them on certain web sites like Facebook and Twitter.
> >
> > To mitigate that threat, people probably want to force users to login
> > (because their password would transmit in plain text) and use CKAN
> > sites over HTTPS.
> > This will become much easier later this year with the launch of Let's
> > Encrypt https://letsencrypt.org/ which will provide free automated
> > SSL/TLS certificates so there's no longer barriers to implementing
> > HTTPS.
> >
> > On Fri, Feb 13, 2015 at 9:15 PM, Stefan Oderbolz
> > <stefan.oderbolz at liip.ch> wrote:
> >> Hi there,
> >>
> >> we have currently a security issue on one of our CKAN instances. I'm
> >> not really the expert, but as far as I understood CKAN uses the
> >> auth_tkt plugin from repoze.who to authenticate a user a its session.
> >> The auth_tk cookie therefore contains all the session data which is
> >> then used to authenticate a user.
> >>
> >> Now if a user logs out this cookie is deleted and the next time he
> >> logs in a new session cookie is created. If now an attacker can copy
> >> the content of the auth_tk cookie, then he could still use the session
> >> to access the site. So afaik this means the session is never really
> >> invalidated on the server side. By looking at the code I don't really
> >> understand how it works. There must be some kind of session
> >> information on the server side, right? Shouldn't it be possible to
> >> delete that once a user logs out, so that actually the session is not
> >> valid anymore? Or how does that work?
> >>
> >> Any help would be very much appreciated.
> >>
> >> Cheers Stefan
> >>
> >> PS: We're talking here about CKAN 2.2. The auth_tk stuff is here:
> >>
> https://github.com/ckan/ckan/blob/c260d58387167c660c4981b0305d514693064e20/ckan/lib/auth_tkt.py
> >> and what appears to be the session handling is here:
> >>
> https://github.com/ckan/ckan/blob/40a4befc7cb68ad621558e6bb2c70621afffc0cd/ckan/lib/base.py#L292
> >>
> >> --
> >> Liip AG  // Limmatstrasse 183 //  CH-8005 Zürich
> >> Tel +41 43 500 39 80 // GnuPG 0x7B588C67 // www.liip.ch
> >> _______________________________________________
> >> ckan-dev mailing list
> >> ckan-dev at lists.okfn.org
> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> > _______________________________________________
> > ckan-dev mailing list
> > ckan-dev at lists.okfn.org
> > https://lists.okfn.org/mailman/listinfo/ckan-dev
> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
>
>
> --
> Liip AG  // Limmatstrasse 183 //  CH-8005 Zürich
> Tel +41 43 500 39 80 // GnuPG 0x7B588C67 // www.liip.ch
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20150217/f296e91d/attachment-0003.html>