[pubcookie-dev] Suggested mod to cookie obscuring including patch
Nathan Dors
dors at cac.washington.edu
Thu May 5 11:26:37 PDT 2005
We discussed this a bit more here yesterday. I tried to make the
case for a better policy along the lines you described, but there
seems to be no getting around the fact that cookies are visible to
the entire server domain name, regardless of any obscuring or
visibility changes we do in the module. Therefore, anything we do,
including the current blanking, has limited/specious value and is
really only creating a false sense of security.
That said, it's not like we don't run pubcookie or don't have web
applications on multi-user, multi-department servers here. This
inherent risk just has to be factored in when considering where to
deploy an application.
Any further comments, from anyone?
-Nathan
On Wed, 4 May 2005, Steve Losen wrote:
>
> Currently when you set
>
> PubcookieNoBlank on
>
> (soon to become PubcookieNoObscureCookies) it turns off all
> cookie blanking by the pubcookie module. Consequently, even
> non-pubcookie CGI programs on the app server can see the cookies.
> This is bad because session cookies are re-playable. Therefore
> you must have very tight control of the app server if you want
> to turn off cookie obscuring.
>
> We have a pubcookie app that passes on the session cookie to
> a back end process as an authentication token. We put code in
> the back end process so that it knows how to decrypt and verify
> the session cookie.
>
> Unfortunately, we need to run this app on a large cluster of
> web servers that is used by a lot of different University
> departments, so we do not have tight enough control over it.
>
> I modified blank_cookie() in mod_pubcookie.c so that even when you
> turn off cookie obscuring, most cookies still get obscured.
>
> I think that only a pubcookie app should be able to see unobscured
> cookies, and only these cookies: pre-session, granting, and
> the session cookie for this app. I don't see why pubcookie app
> A should ever be able to see the session cookie for app B. I
> particularly don't see why a non-pubcookie CGI should ever see
> unobscured cookies.
>
> If you agree, then here is my patch to mod_pubcookie.c (vanilla 3.2.0)
>
> *** mod_pubcookie.c.orig Fri Jan 21 17:43:46 2005
> --- mod_pubcookie.c Wed May 4 15:11:00 2005
> ***************
> *** 746,753 ****
> module_config,
> &pubcookie_module);
>
> ! if (scfg->noblank)
> return (0);
>
> /* If we've stashed the cookie, we know it's already blanked */
> if (ap_table_get (mr->notes, name) ||
> --- 746,760 ----
> module_config,
> &pubcookie_module);
>
> ! if (scfg->noblank && ap_auth_type(r) != 0 &&
> ! pubcookie_auth_type(r) != PBC_CREDS_NONE &&
> ! (strcasecmp(name, PBC_G_COOKIENAME) == 0 ||
> ! strcasecmp(name, PBC_PRE_S_COOKIENAME) == 0 ||
> ! strcasecmp(name, make_session_cookie_name(p,
> ! PBC_S_COOKIENAME, appid(r))) == 0))
> ! {
> return (0);
> + }
>
> /* If we've stashed the cookie, we know it's already blanked */
> if (ap_table_get (mr->notes, name) ||
>
>
>
> Steve Losen scl at virginia.edu phone: 434-924-0640
>
> University of Virginia ITC Unix Support
>
>
> _______________________________________________
> pubcookie-dev mailing list
> pubcookie-dev at u.washington.edu
> http://mailman1.u.washington.edu/mailman/listinfo/pubcookie-dev
>
More information about the pubcookie-dev
mailing list