shibboleth-dev - [Shib-Dev] Shib session cookie propagation (was: Suhosin error messages)
Subject: Shibboleth Developers
List archive
- From: Kristof Bajnok <>
- To:
- Subject: [Shib-Dev] Shib session cookie propagation (was: Suhosin error messages)
- Date: Mon, 16 Aug 2010 18:12:14 +0200
- Organization: NIIF Institute
[Redirecting from -users]
On Monday 16 August 2010 17.14.23 Scott Cantor wrote:
> > Another approach could be if mod_shib removed the session cookie from
> > the request before propagating it. I'm not sure whether it's possible
> > or even a good idea, but I can't think of any application that can make
> > use of the shib session cookie for good. (But can easily imagine an
> > injected code which forwards the session cookie to an attacker.)
>
> The problem is Apache tends to use internal subrequests without much
> rhyme or reason. It's sort of the reverse of the spoof checking problem
> and I wouldn't be inclined to deal with that nightmare again without a
> good reason.
>
> (Security-wise, address checking helps block forwarding the session
> cookie unless the attacker is willing to spoof a source address.
Address checking is not enabled by default, and I can understand why
(especially after I spent a couple of weeks with a bad 3G/GPRS/etc
connection this summer). All the same, our guides recommend it.
> Would be interesting to know how wasy that is in practice these days
Spoofing a source address within a broadcast domain (LAN) is quite
straightforward, unless the network provider uses some anti-spoofing
technique against it. I'm not sure if such things can even work with open
wireless networks.
If I operated large LANs (as most universities do), I'd be concerned about
the session stealing problem above. I've seen too many sites recently that
turned out to be infected with injected code. And because an entity (SP)
could host multiple applications, it can induce security problems which
hadn't been present without "Shibboleth". (One another reason why not host
multiple applications on one entity.)
I can understand that dealing with Apache request handling is more than
ugly. Still I think that hiding Shib session cookie from applications would
improve the security of the SP - even though I haven't heard of such attacks
yet.
Just my 2 cents, though I'm not a security person.
Kristof
- [Shib-Dev] Shib session cookie propagation (was: Suhosin error messages), Kristof Bajnok, 08/16/2010
- RE: [Shib-Dev] Shib session cookie propagation (was: Suhosin error messages), Scott Cantor, 08/16/2010
- Re: [Shib-Dev] Shib session cookie propagation (was: Suhosin error messages), Kristof Bajnok, 08/16/2010
- RE: [Shib-Dev] Shib session cookie propagation (was: Suhosin error messages), Scott Cantor, 08/16/2010
- Re: [Shib-Dev] Shib session cookie propagation (was: Suhosin error messages), Kristof Bajnok, 08/16/2010
- RE: [Shib-Dev] Shib session cookie propagation (was: Suhosin error messages), Scott Cantor, 08/16/2010
Archive powered by MHonArc 2.6.16.