[Mapbender_dev] authentication credentials and sessions
Karim Malhas
karim at malhas.de
Fri May 21 08:11:45 EDT 2010
Hi Marc,
> is it true that we currently are storing the supplied credentials of a
> user in a readable form within the session? If so, why exactly are we
> doing that?
You mean this in conf/session.conf:
Mapbender::session()->set("mb_user_password",$password);
?
...
I grepped for 'mb_user_password' and found 5 places where the password
is taken from the session:
mod_insertKmlIntoDb.php which seems to be unused (it references the
none-existant mb_meetingpoint table
javascripts/mod_home.php where the password is used to construct a
kind of auto-login, I don't think that's a good idea
javascripts/mod_saveWmcKml.php is this also obsolete?
php/mod_meetingPoint.php and this?
php/mod_editElements.php I didn't take the time to figure out why, but
it opens a new window with the login-frame to also perform a kind of
auto-login. I don't see why this is neccessary, we already have a
Session, so no need for this
May I propose we kick mb_user_password from the session asap?
Or were you talking about something else?
> As I am storing my session data within a database, I see me faced with
> major security or data privacy issues. Am I exaggerating and paranoid or
> is this a structural flaw?
I don't think you are exaggerating, passwords don't belong in the Sessionstore.
Regards,
Karim
More information about the Mapbender_dev
mailing list