Re: [Webappsec] Paper: Weaning the Web off of Session Cookies

[Chris Travers <chris () metatrontech com>]

Hi all;

Just backing up Tim here a bit.

In LedgerSMB 1.3, we decided to go to HTTP auth because of some
changes in the security architecture of the software.  After looking
at alternatives, we concluded that http auth was likely to be the way
to go long-run.  There are some constraints which preclude the use of
Digest authentication (negotiated and basic work OK, but the latter
really requires SSL).

In general the issues came down to:

1)  We do pass-through authentication, and both authentication and
permissions enforcement occurs on the database-level.
2)  To do this effectively, we would have to either store the database
passwords somewhere accessible to the web server (opening up possible
attacks) or we would have to pass it back using some sort of secure,
but reversible encryption scheme.  Since the key would have to be
accessible on the server, this didn't seem as secure to us as just
requiring a usable auth token to be passed to the web server via http
auth.

There are substantial hurdles to overcome to make this work.  However,
moving to an HTTP auth framework means that a number of really
powerful tools are gained.  While it isn't standard yet, I hope the
industry moves in that direction.

I do think we need some sort of HTTP status or other header
information that would tell a browser to clear the auth cache and not
try again.

Best Wishes,
Chris Travers

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/