[Mapbender_dev] authentication credentials and sessions

Marc Jansen jansen at terrestris.de
Fri May 21 09:50:16 EDT 2010 

Hi Karim,

thanks for the response.

I am unsure if I have a vote, but if so: +1 for removing 
mb_user_password from the users session and changing/removing all 
modules which depend on that.

What do others think?

I am far to unfamiliar with the way mapbender wants to go but remember 
faintly, that 3.0 was supposed to only have a minimal set of 
functionality. So changing or removing modules not working without the 
mb_user_password in the session should be IMO OK.

Regards,
Marc



On 21.05.2010 14:11, Karim Malhas wrote:
> Hi Marc,
>
>    
>> is it true that we currently are storing the supplied credentials of a
>> user in a readable form within the session? If so, why exactly are we
>> doing that?
>>      
> You mean this in conf/session.conf:
>
>    Mapbender::session()->set("mb_user_password",$password);
>
> ?
>
> ...
>
> I grepped for 'mb_user_password' and found 5 places where the password
> is taken from the session:
>
>   mod_insertKmlIntoDb.php  which seems to be unused (it references the
>   none-existant mb_meetingpoint table
>
>   javascripts/mod_home.php where the password is used to construct a
>   kind of auto-login, I don't think that's a good idea
>
>   javascripts/mod_saveWmcKml.php is this also obsolete?
>
>   php/mod_meetingPoint.php  and this?
>
>   php/mod_editElements.php I didn't take the time to figure out why, but
>   it opens a new window with the login-frame to also perform a kind of
>   auto-login. I don't see why this is neccessary, we already have a
>   Session, so no need for this
>
>
> May I propose we kick mb_user_password from the session asap?
>
> Or were you talking about something else?
>
>
>    
>> As I am storing my session data within a database, I see me faced with
>> major security or data privacy issues. Am I exaggerating and paranoid or
>> is this a structural flaw?
>>      
> I don't think you are exaggerating, passwords don't belong in the Sessionstore.
>
>
> Regards,
> Karim
> _______________________________________________
> Mapbender_dev mailing list
> Mapbender_dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapbender_dev
>
>    


-- 

   .................................................................
    Im April erschienen:
    OpenLayers - Webentwicklung mit dynamischen Karten und Geodaten
    von M. Jansen und T. Adams, OpenSourcePress, München.

    ISBN: 978-3-937514-92-5
    URL:  http://openlayers-buch.de
   .................................................................


   Dipl.-Geogr. Marc Jansen
   - Anwendungsentwickler -

   terrestris GmbH&  Co. KG
   Irmintrudisstraße 17
   53111 Bonn

   Tel:    ++49 (0)228 / 96 28 99 -53
   Fax:    ++49 (0)228 / 96 28 99 -57

   Email:  jansen at terrestris.de
   Web:    http://www.terrestris.de

   Amtsgericht Bonn, HRA 6835
   Komplementärin:  terrestris Verwaltungsgesellschaft mbH
   vertreten durch: Hinrich Paulsen, Till Adams

More information about the Mapbender_dev mailing list