[pubcookie-dev] Interesting multiple server behavior
dors at cac.washington.edu
Tue Oct 11 15:25:08 PDT 2005
> The issue it identified though was a possible DOS. With the cookie scoped
> properly at login.wisc.edu a person in the .wisc.edu domain could set a
> pubcookie_l cookie at wisc.edu. This would send both the login.wisc.edu and
> the wisc.edu pubcookie_l cookies to the login server at login.wisc.edu. The
> login server can not handle multiple pubcookie_l cookies and asks the user
> to re-authenticate. This will always happen until the pubcookie_l cookie
> at .wisc.edu expires.
Hmm. This is just the kind of question that risk management
committees like to chew on. How would you assess the risk here,
the potential harm? And what are the chances of this DOS occurring
to a single user vs. the whole population of users at once?
(Unlikely and impossible, I'd say, respectively.)
I can imagine a similar DOS would be simply to set a sufficient
number of .wisc.edu cookies such that, upon visiting the login
server, Apache has to respond with that "Size of a request header
field exceeds server limit" message. Here the user wouldn't even
make it to the login cgi. But in either case the user needs to
flush his/her cookies to be able to log in again. Is that so bad?
More information about the pubcookie-dev