[Cosmo-dev] CMP and AJAX

Travis Vachon travis at osafoundation.org
Fri Sep 22 09:23:19 PDT 2006 

Bobby and I talked about this yesterday, and he showed me an idea he
credited to Matthew, so this may not be new, but may be particularly
applicable...

If we're willing to add another security protocol to CMP (which I think
is going to be necessary to do what we want to do securely), we could do
something like this:

- When a client logs into Cosmo, the server returns a time stamp and a
hash generated from the time stamp and the user's password (ie,
MD5(password + time_stamp)).
- The client stores the hash and username in a cookie, and sends it
along with any request for a protected URL (eg, /cmp/users)
- When the server receives a hash and username, it calculates the
expected hash for that user. If they match, it allows access.

Two points:
- If a Bad Guy steals the hash, they'll have access to the user's page
for a time period set by the server (eg, 5 minutes after the time
stamp). They will not have the user's password.
- This is quite a bit like session based authentication, except that the
server does not need to store extra state beyond user details (that is,
does not need to remember a session id).
- The downside is that we're added an extra, potentially computationally
expensive step to each request that needs to be authenticated.

I think this is unnecessary for the very short term. I'd like to
implement the new admin ui using the current basic authentication, and
include a disclaimer that security is not up to snuff. This, however,
provides an excellent path for improving our security. I'd even be happy
to implement it after the admin ui redesign happens.

An added bonus is that this could be used everywhere in the app as the
basis for a fully sessionless interface, which would be neat.

Thoughts?

Travis

Brian Moseley wrote:
> On 9/21/06, Matthew Eernisse <mde at osafoundation.org> wrote:
>
>> The cookie option is probably even worse than a JS variable, since
>> cross-site shenanigans could in theory give malicious people access to
>> that cookie. There's also a nice GUI you can use to look at all the
>> cookies set in a browser. Poking around for a variable with a JS shell
>> would at least require some facility with programming and knowledge of
>> the source code.
>
> yea, but the issue is storing the credentials from the point when they
> are submitted on the login screen, across the page refresh to the next
> screen, at which point the credentials are needed by ajax requests.
> where does the login screen put the credentials so that the next
> screen can see them?
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev

More information about the cosmo-dev mailing list