5.3.0-git
2014-11-01

[#8423] Security Audit
Summary Security Audit
Queue Horde Base
Queue Version Git master
Type Enhancement
State Assigned
Priority 2. Medium
Owners Horde Developers (at) , chuck (at) horde (dot) org
Requester chuck (at) horde (dot) org
Created 2009-07-10 (1940 days ago)
Due
Updated 2011-03-31 (1311 days ago)
Assigned
Resolved
Milestone 5
Patch No

History
2011-03-31 23:38:46 Jan Schneider Summary ⇒ Security Audit
Version ⇒ Git master
Milestone ⇒ 5
 
2009-07-10 02:57:07 Chuck Hagenbuch Comment #1
State ⇒ Assigned
Patch ⇒ No
Milestone ⇒ 4
Assigned to Horde DevelopersHorde Developers
Assigned to Chuck Hagenbuch
Queue ⇒ Horde Base
Priority ⇒ 2. Medium
Type ⇒ Enhancement
Summary ⇒ H4 Security Audit
Reply to this comment
deprecate blatantly insecure auth schemes; make sure to use a salted 
auth scheme by default



need a hook or setting to limit # of unsuccessful login attempts to horde



need a hook or setting to limit easily guessable passwords



require re-authentication before changing passwords, or other 
sensitive operations



don't use the same secret key for multiple purposes

allow key rotation



reference:

http://cookies.lcs.mit.edu/

http://pdos.csail.mit.edu/papers/webauth:sec10.pdf



make sure cookies are set with the secure flag when ssl is used



get rid of URL-based sessions entirely



limit the lifetime of even session-based cookies



authenticator cookie:

exp=t&data=s&digest=MAC(xp=t&data=s)

- push the username and some other basic info (browser string, ip, ... 
?) into the data parameter ("s"), to avoid having to init the session 
on most page loads



- store other session data by key in a backend, accessed on-demand and 
saved only when dirty? what about commonly used info like prefs? cache 
with username in the key in the cache backend instead?