27 Mar
2013
27 Mar
'13
8:18 p.m.
Thomas,
this is based on xwiki 3.5 and the code to detect proxies is there but it isn't
correct, at least for the situations we detected, where the last value in the list should
be taken, and not the first as is done currently (details on
http://jira.xwiki.org/browse/CURRIKI-5937).
Do we know the spec paragraphs about this?
I am wondering if there are other authentication methods that would not help us in such
conditions, among others that of using a (server-generated) authentication certificate.
They could be a lot sturdier than the cookies-based authentication.
Thanks for hints.
Paul
On 27 mars 2013, at 18:41, Thomas Delafosse wrote:
Hello Paul,
The IP is indeed used to create the validation cookie. But in order to
fix issues with proxies the IP is "guessed" thanks to the
"X-Forwarded-For"
header of the request.
But I can't tell since which version it is done this way :). So what
version of XWiki were you using when you got these issues ?
Thomas
On Wed, Mar 6, 2013 at 9:02 PM, Paul Libbrecht <paul(a)hoplahup.net> wrote:
Hello fellow developers,
So as to preserve security of our users, we do one small thing: the
user-name and password (and registration info) is submitted over https. All
other communication is done over http.
This works well for someone connected normally to the internet.
This works incorrectly for someone who is forced to use a proxy by its
network conditions, e.g. hotels, wifi hotspots and mobile devices' provided
networks.
The reason it is the case, it the following
MyPersistentLoginManager.checkValidation checks a "validation" cookie
which computes a salted hash of the triple username, password, and IP. And
in the cases above, the IPs are different, so the validation fails, the
login is unsuccessful, the console says:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs Login cookie validation hash mismatch! Cookies
have been tampered with
What our options?
Is it true that removing IP in this validation would make the system weak
as anyone stealing the cookie from another IP could become that user?
Would it be as simple as finding the right header "chain end" and replace
it?
It seems that it would be possible.
paul
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs