[Mapbender_dev] authentication credentials and sessions
Marc Jansen
jansen at terrestris.de
Fri May 21 09:50:16 EDT 2010
Hi Karim,
thanks for the response.
I am unsure if I have a vote, but if so: +1 for removing
mb_user_password from the users session and changing/removing all
modules which depend on that.
What do others think?
I am far to unfamiliar with the way mapbender wants to go but remember
faintly, that 3.0 was supposed to only have a minimal set of
functionality. So changing or removing modules not working without the
mb_user_password in the session should be IMO OK.
Regards,
Marc
On 21.05.2010 14:11, Karim Malhas wrote:
> Hi Marc,
>
>
>> is it true that we currently are storing the supplied credentials of a
>> user in a readable form within the session? If so, why exactly are we
>> doing that?
>>
> You mean this in conf/session.conf:
>
> Mapbender::session()->set("mb_user_password",$password);
>
> ?
>
> ...
>
> I grepped for 'mb_user_password' and found 5 places where the password
> is taken from the session:
>
> mod_insertKmlIntoDb.php which seems to be unused (it references the
> none-existant mb_meetingpoint table
>
> javascripts/mod_home.php where the password is used to construct a
> kind of auto-login, I don't think that's a good idea
>
> javascripts/mod_saveWmcKml.php is this also obsolete?
>
> php/mod_meetingPoint.php and this?
>
> php/mod_editElements.php I didn't take the time to figure out why, but
> it opens a new window with the login-frame to also perform a kind of
> auto-login. I don't see why this is neccessary, we already have a
> Session, so no need for this
>
>
> May I propose we kick mb_user_password from the session asap?
>
> Or were you talking about something else?
>
>
>
>> As I am storing my session data within a database, I see me faced with
>> major security or data privacy issues. Am I exaggerating and paranoid or
>> is this a structural flaw?
>>
> I don't think you are exaggerating, passwords don't belong in the Sessionstore.
>
>
> Regards,
> Karim
> _______________________________________________
> Mapbender_dev mailing list
> Mapbender_dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapbender_dev
>
>
--
.................................................................
Im April erschienen:
OpenLayers - Webentwicklung mit dynamischen Karten und Geodaten
von M. Jansen und T. Adams, OpenSourcePress, München.
ISBN: 978-3-937514-92-5
URL: http://openlayers-buch.de
.................................................................
Dipl.-Geogr. Marc Jansen
- Anwendungsentwickler -
terrestris GmbH& Co. KG
Irmintrudisstraße 17
53111 Bonn
Tel: ++49 (0)228 / 96 28 99 -53
Fax: ++49 (0)228 / 96 28 99 -57
Email: jansen at terrestris.de
Web: http://www.terrestris.de
Amtsgericht Bonn, HRA 6835
Komplementärin: terrestris Verwaltungsgesellschaft mbH
vertreten durch: Hinrich Paulsen, Till Adams
More information about the Mapbender_dev
mailing list