[ic] New SecureProtect directive to prevent sidejacking

Mike Heins mike at perusion.com
Sat Oct 30 04:13:33 UTC 2010


Quoting Peter (peter at pajamian.dhs.org):
> On 30/10/10 16:51, Mike Heins wrote:
> > Quoting Peter (peter at pajamian.dhs.org):
> >> On 30/10/10 11:28, Josh Lavin wrote:
> >>> New SecureProtect configuration directive (sidejacking fix)
> >>>
> >>> Author: Mike Heins
> >>>
> >>> This is a defense to "sidejacking", the collection of a session cookie
> >>> by a host on an unsecure network. When SecureProtect is active, the
> >>> UserDB login process creates a passhash of the encrypted password. This,
> >>> along with username, login_table, and a "secret" set in the
> >>> configuration, is used to check subsequent secure accesses to the catalog.
> >> This is great.  I've been wanting to implement something like this
> >> myself for ages but just haven't had the time.
> >>
> >> I take it that this only protects the session for secure pages, so if
> >> you implement this you should make sure that any important input or
> >> sharing of private details happens on a secure page (via the
> >> AlwaysSecure and ExtraSecure directives)?
> > 
> > You also need to have a logged in status to be protected. Obviously
> > you couldn't get to a secure login page otherwise....
> 
> Why do we need to limit it to logged in users?  Why can't we protect
> secure pages in the session before someone is logged in?

Nothing stops you from generating your own MV_SHASH via another
process. Feel free.

But what information would you base the hashing on? We can't use IP
address or MAC address, if they are sniffing. Session keys are kind of
pointless -- if you did that you would only be protected on
the *second* page. What's the point?

And why would you put secure information in a session before someone
authenticates? In normal operation, you don't want to use SSL, and
why waste CPU cycles on a random non-authenticated user?

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.328.4479  <mike at perusion.com>

Being against torture ought to be sort of a bipartisan thing.
-- Karl Lehenbauer



More information about the interchange-users mailing list