[Mapbender_dev] authentication credentials and sessions

Karim Malhas karim at malhas.de
Fri May 21 08:11:45 EDT 2010

Hi Marc,

> is it true that we currently are storing the supplied credentials of a 
> user in a readable form within the session? If so, why exactly are we 
> doing that?

You mean this in conf/session.conf:




I grepped for 'mb_user_password' and found 5 places where the password
is taken from the session:

 mod_insertKmlIntoDb.php  which seems to be unused (it references the
 none-existant mb_meetingpoint table

 javascripts/mod_home.php where the password is used to construct a
 kind of auto-login, I don't think that's a good idea

 javascripts/mod_saveWmcKml.php is this also obsolete?

 php/mod_meetingPoint.php  and this?

 php/mod_editElements.php I didn't take the time to figure out why, but 
 it opens a new window with the login-frame to also perform a kind of
 auto-login. I don't see why this is neccessary, we already have a
 Session, so no need for this

May I propose we kick mb_user_password from the session asap?

Or were you talking about something else?

> As I am storing my session data within a database, I see me faced with 
> major security or data privacy issues. Am I exaggerating and paranoid or 
> is this a structural flaw?

I don't think you are exaggerating, passwords don't belong in the Sessionstore. 


More information about the Mapbender_dev mailing list