[xwiki-devs] MyPersistentLoginManager.checkValidation
Hello fellow developers, So as to preserve security of our users, we do one small thing: the user-name and password (and registration info) is submitted over https. All other communication is done over http. This works well for someone connected normally to the internet. This works incorrectly for someone who is forced to use a proxy by its network conditions, e.g. hotels, wifi hotspots and mobile devices' provided networks. The reason it is the case, it the following MyPersistentLoginManager.checkValidation checks a "validation" cookie which computes a salted hash of the triple username, password, and IP. And in the cases above, the IPs are different, so the validation fails, the login is unsuccessful, the console says:
Login cookie validation hash mismatch! Cookies have been tampered with
What our options? Is it true that removing IP in this validation would make the system weak as anyone stealing the cookie from another IP could become that user? Would it be as simple as finding the right header "chain end" and replace it? It seems that it would be possible. paul
Hello Paul, The IP is indeed used to create the validation cookie. But in order to fix issues with proxies the IP is "guessed" thanks to the "X-Forwarded-For" header of the request. But I can't tell since which version it is done this way :). So what version of XWiki were you using when you got these issues ? Thomas On Wed, Mar 6, 2013 at 9:02 PM, Paul Libbrecht <[email protected]> wrote:
Hello fellow developers,
So as to preserve security of our users, we do one small thing: the user-name and password (and registration info) is submitted over https. All other communication is done over http.
This works well for someone connected normally to the internet. This works incorrectly for someone who is forced to use a proxy by its network conditions, e.g. hotels, wifi hotspots and mobile devices' provided networks. The reason it is the case, it the following
MyPersistentLoginManager.checkValidation checks a "validation" cookie which computes a salted hash of the triple username, password, and IP. And in the cases above, the IPs are different, so the validation fails, the login is unsuccessful, the console says:
Login cookie validation hash mismatch! Cookies have been tampered with
What our options?
Is it true that removing IP in this validation would make the system weak as anyone stealing the cookie from another IP could become that user?
Would it be as simple as finding the right header "chain end" and replace it? It seems that it would be possible.
paul _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
Thomas, this is based on xwiki 3.5 and the code to detect proxies is there but it isn't correct, at least for the situations we detected, where the last value in the list should be taken, and not the first as is done currently (details on http://jira.xwiki.org/browse/CURRIKI-5937). Do we know the spec paragraphs about this? I am wondering if there are other authentication methods that would not help us in such conditions, among others that of using a (server-generated) authentication certificate. They could be a lot sturdier than the cookies-based authentication. Thanks for hints. Paul On 27 mars 2013, at 18:41, Thomas Delafosse wrote:
Hello Paul,
The IP is indeed used to create the validation cookie. But in order to fix issues with proxies the IP is "guessed" thanks to the "X-Forwarded-For" header of the request. But I can't tell since which version it is done this way :). So what version of XWiki were you using when you got these issues ?
Thomas
On Wed, Mar 6, 2013 at 9:02 PM, Paul Libbrecht <[email protected]> wrote:
Hello fellow developers,
So as to preserve security of our users, we do one small thing: the user-name and password (and registration info) is submitted over https. All other communication is done over http.
This works well for someone connected normally to the internet. This works incorrectly for someone who is forced to use a proxy by its network conditions, e.g. hotels, wifi hotspots and mobile devices' provided networks. The reason it is the case, it the following
MyPersistentLoginManager.checkValidation checks a "validation" cookie which computes a salted hash of the triple username, password, and IP. And in the cases above, the IPs are different, so the validation fails, the login is unsuccessful, the console says:
Login cookie validation hash mismatch! Cookies have been tampered with
What our options?
Is it true that removing IP in this validation would make the system weak as anyone stealing the cookie from another IP could become that user?
Would it be as simple as finding the right header "chain end" and replace it? It seems that it would be possible.
paul _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
Hello Paul, As you said, one quick fix would be not to use the user IP anymore for making the validation hash. You can achieve that simply by putting xwiki.authentication.useip to false in xwiki.cfg. This is indeed a little less secure but if someone succeed in stealing cookies he could anyway fake its IP address to gain access nonetheless. So in my opinion it is better to do it this way than having a manual login page using HTTP. But in the long run, you're right, we should probably rethink our authentication methods, or at least propose alternatives. I'm currently going deeper and deeper in XWiki authentication code, and I would try to make some proposals soon. Cheers, Thomas On Wed, Mar 27, 2013 at 8:18 PM, Paul Libbrecht <[email protected]> wrote:
Thomas,
this is based on xwiki 3.5 and the code to detect proxies is there but it isn't correct, at least for the situations we detected, where the last value in the list should be taken, and not the first as is done currently (details on http://jira.xwiki.org/browse/CURRIKI-5937). Do we know the spec paragraphs about this?
I am wondering if there are other authentication methods that would not help us in such conditions, among others that of using a (server-generated) authentication certificate. They could be a lot sturdier than the cookies-based authentication.
Thanks for hints.
Paul
On 27 mars 2013, at 18:41, Thomas Delafosse wrote:
Hello Paul,
The IP is indeed used to create the validation cookie. But in order to fix issues with proxies the IP is "guessed" thanks to the "X-Forwarded-For" header of the request. But I can't tell since which version it is done this way :). So what version of XWiki were you using when you got these issues ?
Thomas
On Wed, Mar 6, 2013 at 9:02 PM, Paul Libbrecht <[email protected]> wrote:
Hello fellow developers,
So as to preserve security of our users, we do one small thing: the user-name and password (and registration info) is submitted over https.
All
other communication is done over http.
This works well for someone connected normally to the internet. This works incorrectly for someone who is forced to use a proxy by its network conditions, e.g. hotels, wifi hotspots and mobile devices' provided networks. The reason it is the case, it the following
MyPersistentLoginManager.checkValidation checks a "validation" cookie which computes a salted hash of the triple username, password, and IP. And in the cases above, the IPs are different, so the validation fails, the login is unsuccessful, the console says:
Login cookie validation hash mismatch! Cookies have been tampered with
What our options?
Is it true that removing IP in this validation would make the system weak as anyone stealing the cookie from another IP could become that user?
Would it be as simple as finding the right header "chain end" and replace it? It seems that it would be possible.
paul _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
participants (2)
-
Paul Libbrecht -
Thomas Delafosse