Menu
▾
▴
[Phpwiki-talk] Re: [phpwiki-checkins] CVS: phpwiki/lib WikiUserNew.php,NONE,1.1
|
From: Carsten K. <car...@us...> - 2003-12-13 07:13:56
|
On Friday, December 12, 2003, at 10:52 am, Joby Walker wrote: > Carsten, > > This looks good, but as I read this you are storing the > username&password (in human readable form) in the contents of a cookie > on the end-user's machine. This seems quite bad to me. SOP, for web > sites is to store a cookie with a unique id (UID). The cookie id plus > some unique features of the client (IP, browser, time, etc) are then > checked by the server against it's session database and if verified > the user is logged in (very similar to Kerberos). But by storing the > username & password in the cookie, it someone reads the cookie they > will have complete access to that account. > > A quick review of the cookies currently in my broswer shows: > > 1) UID's are primarily used -- especially with commercial sites. > 2) Passwords are not stored in cookies. > 3) Userid's, if used instead of a UID, are encrypted. > 4) Very little data is in human readable form -- and none of it is > critical info. > > If I am mistaken about what you are storing in the cookie ... then > ignore. But I am quite worried about this development. > > On a better note the classes look good. Having different classes with > common methods will be very helpful for the future of phpwiki. > > jbw > > Carsten Klapp wrote: > >> Update of /cvsroot/phpwiki/phpwiki/lib >> In directory sc8-pr-cvs1:/tmp/cvs-serv19754 >> Added Files: >> WikiUserNew.php Log Message: >> Complete rewrite of WikiUser.php. Hi Joby, Thank you for the feedback, I always appreciate it! I finally got my own wiki up and running again (see http://phpwiki.sourceforge.net/phpwiki/KnownBugs, search for OldTextFormattingRules) so the good news is I'll be able to do extensive testing on the WikiUserNew stuff before deploying it into PhpWiki CVS. Rest assured, it's always been my intention to make sure the password will be stored encrypted, whether in a cookie or within the homepage, so long as the PHP module is compiled to allow the function crypt(). I'm sure the WikiUserNew.php doesn't completely reflect all this yet in its current state, but I'll make sure it does in upcoming versions. :) As far as storing the password itself (encrypted or not) within a cookie for auto-login, I'm not too concerned at the moment, especially about encrypting WikiUserIds. As Reini said, "it's only a wiki." It's pretty commonly known that UserIds on a wiki are just the UserName. But if a user were to enable (the upcoming feature) "auto-login", I believe for now it should be sufficient enough upon enabling AutoLogin to just give the user a quick reminder message that, "anyone could potentially log in from that machine when auto-login is enabled" or something similar. (Joby, please do remind me later if I somehow forget to do this(:). Once banks or other financial institutions decide to start using PhpWiki ;) there's no reason why we can't (hopefully, be paid to) revisit the code. In that case those sites would definitely be using TSL/SSL too; not that it would *completely* alleviate the need for internally encrypted passwords but it makes coding some other things a little easier. So rereading your message, I think it would indeed be best to continue to use the PHPSESSION cookie stuff wherever possible as you suggest, like PhpWiki 1.3.6/7pre currently does, to keep the cookie-passing to a minimum until such time as a user actually changes and saves his/her UserPreferences. Where the prefs & passwd are stored of course will depend on the type of user (AnonUser, BogoUser, PassUser, AdminUser, etc.) A little more work to the new code will be needed for all that but I think that's the way I'm going to go. And as the NewWikiUser code evolves too please continue to let me know if there's anything that might need changing or more thought. Since we're talking about security here, naturally any follow-ups or concerns are welcome from anyone: I don't mean to imply IKnowEverything/ISeeAll here... Cheers, Carsten |
