Session Data Gets Mangled / NoccKey and NoccIdent

Brought to you by: gerundt, nicocha, oheil

#310 Session Data Gets Mangled / NoccKey and NoccIdent

Status: closed-fixed

Owner:

Labels: Misbehaving function (180)

Priority: 5

Updated: 2006-08-15

Created: 2006-07-17

Creator: Darryl Clarke

Private: No

The session key used for crypting the password doesn't
appear to get updated when a user logs out and logs
back in with a different login.

If I login as userA with a clean session, then logout
and log back in as userB, the NoccKey session variable
doesn't seem to get updated properly.

This may also have something to do with NoccIdent variable.

Which brings me to my next point, the NoccIdent
variable contains session data that is deemed sensative
and should _never_ be sent back to the browser after
the initial login.

This variable contains data that is merely base64
encoded containing the username and password in cleartext.

These things, which I agree are required for operation,
should be stored on the serverside session files only,
and stored in some sort of obfuscated way.

Discussion

Anonymous - 2006-08-15

assigned_to: nobody --> goddess_skuld
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2006-08-15

Logged In: YES
user_id=529507

About update of NoccKey : the key should be updated each
time a user logs on. It's function time() (which change
every second), crypted with crypt() (random DES hash), made
three times. And I doubt you can login, then logout, then
login again within the same second, and with the same "salt"
each time the crypt function is used. You should look about
your server or PHP or browser settings, the cookie must
changed (I tried with many browser / OSes, and it changes
each time).

About NoccIdent : I agree that the login / pass must not be
send to the browser, and I'm working on it. The only problem
is to store the password in an obfuscated way. I can't use
any hash function, because I can't get the password back
with the hash, base64 or any related encoding are easy to
decrypt, and encodings which need a key to be decoded needs
to have the key protected in any way.

I think I'll use the base64 encode/decode, and the webmail
admin will have to store the file with session information
in a folder not accessible to online users, and to system
users except root and the http daemon.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2006-08-15

Logged In: YES
user_id=529507

I finally used the following solution :
- a master key within nocc.conf
- a file containing session informations, with password
encrypted with the master key
- a cookie with login@domain value in order to retrieve the
correct session informations file.

Cookie NoccKey is no more used.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2006-08-15

Logged In: YES
user_id=529507

Fixed in CVS.

It'll be included in next release.

But you can download daily snapshots at :
http://nocc.sourceforge.net/download/

Thanks for the bug report.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2006-08-15

status: open --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.