Mailing List Archive

Security issue--new software
I finally came to the realization that the time I've spent getting
to know the software enough to make the few changes I wanted would
be wasted if I didn't do a good reorganization that the code badly
needs. Hopefully that will also help us diagnose some of its
performance and scalability problems (for example, I've already
found that the code as it is now does 14 database queries to display
the front page!)

So, I'm refactoring the code and documenting as I go, but I want
to get an opinion from not only the tech folks but the list at
large about what the login/logout behavior should be.

Question 1: What is the behavior of the "remember password" user
option supposed to be? Please don't describe code details--I need
to know WHAT it's supposed to do, not HOW (because I'm changing
the latter). We already save the user's ID and some settings in
a cookie (we have to to handle prefs), and we delete the cookie
when the user explicitly logs out (which is good for security),
requiring him to log in and specify his password again. So what's
the difference between a user with this setting and a user without
it? Do we want to retain the user's password in a cookie even when
he logs out? We don't do that currently, so I'm just not clear
what the option is supposed to do.

Question 2: What's a reasonable cookie expiration? It's currently
a year, but I'm thinking a week or a month might be better for
security.

Question 3: Do we "trust" cookies for such issues as sysop access?
Some anonymous user could, for example, mockup the cookies of a
logged-in sysop and start deleting things. Should we take measures
to secure against that, or just be more relaxed and rely on making
frequent backups?


--
Lee Daniel Crocker <lee@piclab.com> <http://www.piclab.com/lee/>
"All inventions or works of authorship original to me, herein and past,
are placed irrevocably in the public domain, and may be used or modified
for any purpose, without permission, attribution, or notification."--LDC
Re: Security issue--new software [ In reply to ]
On Tuesday 07 May 2002 20:20, Lee Daniel Crocker wrote:
> I finally came to the realization that the time I've spent getting
> to know the software enough to make the few changes I wanted would
> be wasted if I didn't do a good reorganization that the code badly
> needs. Hopefully that will also help us diagnose some of its
> performance and scalability problems (for example, I've already
> found that the code as it is now does 14 database queries to display
> the front page!)
>
> So, I'm refactoring the code and documenting as I go, but I want
> to get an opinion from not only the tech folks but the list at
> large about what the login/logout behavior should be.
>
> Question 1: What is the behavior of the "remember password" user
> option supposed to be? Please don't describe code details--I need
> to know WHAT it's supposed to do, not HOW (because I'm changing
> the latter). We already save the user's ID and some settings in
> a cookie (we have to to handle prefs), and we delete the cookie
> when the user explicitly logs out (which is good for security),
> requiring him to log in and specify his password again. So what's
> the difference between a user with this setting and a user without
> it? Do we want to retain the user's password in a cookie even when
> he logs out? We don't do that currently, so I'm just not clear
> what the option is supposed to do.

I'm working on a database with a web front end, and the way I handle logins
is that I set a cookie containing a random string and store the random
string, along with an expiration time and the user who is logged in, in a
table in the database. When a user logs in, all expired cookies are deleted.

> Question 2: What's a reasonable cookie expiration? It's currently
> a year, but I'm thinking a week or a month might be better for
> security.
>
> Question 3: Do we "trust" cookies for such issues as sysop access?
> Some anonymous user could, for example, mockup the cookies of a
> logged-in sysop and start deleting things. Should we take measures
> to secure against that, or just be more relaxed and rely on making
> frequent backups?

I would make the sysop's cookie expire faster than a regular user's cookie.
We might require that a sysop use HTTPS.

phma