diff options
| author | Buchan Milne <buchan@mageia.org> | 2010-11-03 09:17:19 +0000 |
|---|---|---|
| committer | Buchan Milne <buchan@mageia.org> | 2010-11-03 09:17:19 +0000 |
| commit | 3dbf3dc41d0534e552118eed3d3b3ecfb72f6032 (patch) | |
| tree | dde56c59d9ae516a7cf27408831b5c7b84db537d /lib | |
| parent | 1b9ef58ce697235ef6e6ac4e71f15603e949155f (diff) | |
| download | identity-3dbf3dc41d0534e552118eed3d3b3ecfb72f6032.tar identity-3dbf3dc41d0534e552118eed3d3b3ecfb72f6032.tar.gz identity-3dbf3dc41d0534e552118eed3d3b3ecfb72f6032.tar.bz2 identity-3dbf3dc41d0534e552118eed3d3b3ecfb72f6032.tar.xz identity-3dbf3dc41d0534e552118eed3d3b3ecfb72f6032.zip | |
Use a generated UUID stored in a cookie, instead of the session key, as a portion
of the encryption key we use to encrypt the password for storage in the session.
It should now be more or less impossible for an attacker to get the password, as
they need access to the browser and the server.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/CatDap/Controller/user.pm | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/lib/CatDap/Controller/user.pm b/lib/CatDap/Controller/user.pm index fbdfed7..dc68d97 100644 --- a/lib/CatDap/Controller/user.pm +++ b/lib/CatDap/Controller/user.pm @@ -6,6 +6,7 @@ use Net::LDAP::Schema; use Net::LDAP::Extension::SetPassword; use Net::LDAP::Control::PasswordPolicy 0.02; use Crypt::CBC; +use Data::UUID; use Data::Dumper; BEGIN {extends 'Catalyst::Controller'; } @@ -29,7 +30,12 @@ CatDap::Model::User, which uses Catalyst::Model::LDAP::FromAuthentication, which effectively requires calling $c->authenticate on every request. To do this, we keep the password, encrypted with blowfish, using the -(for now), first 3 octets of IPv4 request address and the session id as the key. +(for now), first 3 octets of IPv4 request address and a UUID string (stored in +a cookie) as the key. To access the password, an attacker would need: +- the first 3 octets of IPv4 request (not stored anywhere, but accessible + in server logs) +- the encrpyted password (only available server-side in the session variable) +- the UUID key portion (only available on the browser-side in a cookie) So, if the user does "not exist", we authenticate them, if it succeeds we encrypt the password and store it in the session. @@ -64,10 +70,14 @@ sub auto : Private { #} #$c->persist_user; $c->log->info('Logging user in to LDAP'); - $cipher = Crypt::CBC->new( -key => $keyprefix . $c->sessionid, + + my $ug = Data::UUID->new; + my $key = $ug->create_str(); + $cipher = Crypt::CBC->new( -key => $keyprefix . $key, -cipher => 'Blowfish' ) or die $!; $c->session->{enc_password} = $cipher->encrypt($c->req->param('password') || $c->req->param('key')); + $c->response->cookies->{'key'} = { value => $key, expires => '+10m' }; $c->stash(pages => roles2pages($c->user->roles)); $c->session->{dn} = $c->user->ldap_entry->dn; $c->session->{user} = $c->req->param('username'); @@ -76,7 +86,8 @@ sub auto : Private { } } else { - $cipher = Crypt::CBC->new( -key => $keyprefix . $c->sessionid, + my $key = $c->req->cookie('key')->value; + $cipher = Crypt::CBC->new( -key => $keyprefix . $key, -cipher => 'Blowfish' ) or die $!; $password = $cipher->decrypt($c->session->{enc_password}); |