5.2.0-git
04/18/2014

[#8423] Security Audit
Summary Security Audit
Queue Horde Base
Queue Version Git master
Type Enhancement
State Assigned
Priority 2. Medium
Owners Horde Developers (at) , chuck (at) horde (dot) org
Requester chuck (at) horde (dot) org
Created 07/10/2009 (1743 days ago)
Due
Updated 03/31/2011 (1114 days ago)
Assigned
Resolved
Milestone 5
Patch No

History
03/31/2011 11:38:46 PM Jan Schneider Summary ⇒ Security Audit
Version ⇒ Git master
Milestone ⇒ 5
 
07/10/2009 02:57:07 AM Chuck Hagenbuch Comment #1
State ⇒ Assigned
Patch ⇒ No
Milestone ⇒ 4
Assigned to Horde DevelopersHorde Developers
Assigned to Chuck Hagenbuch
Queue ⇒ Horde Base
Priority ⇒ 2. Medium
Type ⇒ Enhancement
Summary ⇒ H4 Security Audit
Reply to this comment
deprecate blatantly insecure auth schemes; make sure to use a salted 
auth scheme by default



need a hook or setting to limit # of unsuccessful login attempts to horde



need a hook or setting to limit easily guessable passwords



require re-authentication before changing passwords, or other 
sensitive operations



don't use the same secret key for multiple purposes

allow key rotation



reference:

http://cookies.lcs.mit.edu/

http://pdos.csail.mit.edu/papers/webauth:sec10.pdf



make sure cookies are set with the secure flag when ssl is used



get rid of URL-based sessions entirely



limit the lifetime of even session-based cookies



authenticator cookie:

exp=t&data=s&digest=MAC(xp=t&data=s)

- push the username and some other basic info (browser string, ip, ... 
?) into the data parameter ("s"), to avoid having to init the session 
on most page loads



- store other session data by key in a backend, accessed on-demand and 
saved only when dirty? what about commonly used info like prefs? cache 
with username in the key in the cache backend instead?