| Summary | Security Audit | 
| Queue | Horde Base | 
| Queue Version | Git master | 
| Type | Enhancement | 
| State | Assigned | 
| Priority | 2. Medium | 
| Owners | Horde Developers (at) , chuck (at) horde (dot) org | 
| Requester | chuck (at) horde (dot) org | 
| Created | 07/10/2009 (5951 days ago) | 
| Due | |
| Updated | 03/31/2011 (5322 days ago) | 
| Assigned | |
| Resolved | |
| Milestone | 5 | 
| Patch | No | 
Version ⇒ Git master
Milestone ⇒ 5
Priority ⇒ 2. Medium
Patch ⇒ No
Milestone ⇒ 4
Assigned to
Assigned to Chuck Hagenbuch
Queue ⇒ Horde Base
Summary ⇒ H4 Security Audit
Type ⇒ Enhancement
State ⇒ Assigned
auth scheme by default
need a hook or setting to limit # of unsuccessful login attempts to horde
need a hook or setting to limit easily guessable passwords
require re-authentication before changing passwords, or other
sensitive operations
don't use the same secret key for multiple purposes
allow key rotation
reference:
http://cookies.lcs.mit.edu/
http://pdos.csail.mit.edu/papers/webauth:sec10.pdf
make sure cookies are set with the secure flag when ssl is used
get rid of URL-based sessions entirely
limit the lifetime of even session-based cookies
authenticator cookie:
exp=t&data=s&digest=MAC(xp=t&data=s)
- push the username and some other basic info (browser string, ip, ...
?) into the data parameter ("s"), to avoid having to init the session
on most page loads
- store other session data by key in a backend, accessed on-demand and
saved only when dirty? what about commonly used info like prefs? cache
with username in the key in the cache backend instead?