| Summary | H4 Security Audit |
| Queue | Horde Base |
| Queue Version | HEAD |
| Type | Enhancement |
| State | Assigned |
| Priority | 2. Medium |
| Owners | Horde Developers, Chuck Hagenbuch <chuck (at) horde (dot) org> |
| Requester | Chuck Hagenbuch <chuck (at) horde (dot) org> |
| Created | 07/09/09 (252 days ago) |
| Due | |
| Updated | |
| Assigned | |
| Resolved | |
| Attachments | |
| Milestone | 4.0 |
| Patch | No |
State ⇒ Assigned
Milestone ⇒ 4.0
Assigned to
Assigned to Chuck Hagenbuch
Queue ⇒ Horde Base
Summary ⇒ H4 Security Audit
Type ⇒ Enhancement
Priority ⇒ 2. Medium
Patch ⇒
auth scheme by default
need a hook or setting to limit # of unsuccessful login attempts to horde
need a hook or setting to limit easily guessable passwords
require re-authentication before changing passwords, or other
sensitive operations
don't use the same secret key for multiple purposes
allow key rotation
reference:
http://cookies.lcs.mit.edu/
http://pdos.csail.mit.edu/papers/webauth:sec10.pdf
make sure cookies are set with the secure flag when ssl is used
get rid of URL-based sessions entirely
limit the lifetime of even session-based cookies
authenticator cookie:
exp=t&data=s&digest=MAC(xp=t&data=s)
- push the username and some other basic info (browser string, ip, ...
?) into the data parameter ("s"), to avoid having to init the session
on most page loads
- store other session data by key in a backend, accessed on-demand and
saved only when dirty? what about commonly used info like prefs? cache
with username in the key in the cache backend instead?