security - Is the following scheme for sessions distributed over multiple services secure? -


i'm developing client/server application communicate on internet. server consist of number of distinct services, , want user have authenticate once.

the scheme have in mind archiving having central authentication service (over encrypted connection identity of server authenticated first) authenticates user , generates "large enough" session id using secure random number generator. each service client needs access on, creates new connection, authenticates server (using certificates , ssl example) , sends secure session id prove authenticated given session. service contacts centralized authentication service verify session valid , active before responding other requests.

are there disadvantages scheme compared using challenge/response on session id or authentication cookies signed server? services trusted, there's no need protect against service (ab)using session id of connection impersonate user.

a major concern client in charge of transmitting session id or post request between servers, makes system vulnerable session fixation. description isn't clear how session state being transfered or in charge of information.

i agree cookie should large random number called cryptographic nonce. variable used key access server side state. in case of distributed session easiest solution have individual server or database can made responsible maintaining state across domains. makes things easier because user can work on multiple domains simultaneously without worry of race conditions. when server needs set or obtain session variable make request communal session server.

to transfer user 1 server without introducing session fixation vulnerability create 1 time use "transfer id", should cryptographic nonce. communal server knows user has been flagged transfer. client browser transmits "transfer id" new server, new server looks user based on "transfer id" , new server regenerate session id used domain. 1 way method use traditional session handler insure each server has unique session id. individual server can store state information link session id specific user's state on distributed system.


Comments

Post a Comment

Popular posts from this blog

Add email recipient to all new Trac tickets -

is there configuration change can made trac send notification email address upon creation of new tickets? if can't done through config, plugin second best option, source code modification last resort. note: setting smtp_always_cc in notification section of tracini send messages on updates. i'm in need of email notifications only on creation of new ticket. does have email notification? 1 option have create query list ten (or many) recently-created tickets. when looking @ results of query, use "rss feed" button @ bottom of page subscribe feed notify whenever results of query updated.
Read more

400 Bad Request on Apache/PHP AddHandler wrapper -

i'm trying create wrapper/handler called on apache server whenever requests php script inside of directory. way can authorize users entire directory or write other stuff called when directory called. this best configuration i've been able come with... <directory "/srv/http/innov/public_html"> options -indexes allowoverride order allow,deny allow directoryindex index.php </directory> then in /srv/http/innov/public_html/kb/ have .htaccess file... options -indexes addhandler auth_handler .php action auth_handler ../auth_handler.php then in /srv/http/innov/public_html/kb/auth_handler.php follows... <?php $file = $_server['path_translated']; echo $file; ?> access log: - - [02/dec/2010:17:43:15 -0500] "get /kb/index.php http/1.1" 400 590 error log: [thu dec 02 17:50:19 2010] [error] [client xxx.xxx.xxx.xxx] invalid uri in request /kb/ http/1.1 i've checked browser , seems making proper request...
Read more

php - Change action and image src url's with jQuery -

i parsing form 1 of sites using php proxy. working fine form action , img src of submit button url's relative. how can prepend full http//www.domain.com/ in front of each of url's in form? edit: here's form code once fed through new domain: <div style="display: none;" id="subscribeform" class="newform"> <h5>subscribe our newsletter</h5> <form action="/campaignprocess.aspx?listid=27057" method="post" onsubmit="return checkwholeform93426(this)" name="catemaillistform93426"> <div class="form"> <div class="item"> <label for="clfullname">full name</label> <br /> <input type="text" maxlength="255" id="clfullname" name="fullname" class="cat_textbox_small" st...
Read more