[Owasp-alabama] using SESSION Vars to store sensitive data...

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Tue Jun 21 13:20:41 EDT 2011

On Jun 21, 2011, at 12:08 PM, owasp-alabama at lists.owasp.org wrote:

> Hey Chris,
> I'm guessing the authenticated users will be from the Intranet and Internet?

the application is designed for INTRANET use in a corporation, but i tend to write for open internet anyway... just better policy..

> Either way, it's going to be very important to protect the  authentication
> session variable from "session hijacking".  This is the same theory in all
> apps that use authenticated sessions. But especially important when dealing
> with AD credentials as they could be used to further authenticate to the
> domain.

yes of course, im doing a lot to prevent that, (thats another discussion) i feel comfortable on this point... so assuming session hijacking isnt an issue, is using the session ok?  
it would need to be... [gulp]
$_SESSION['ldap_user'] = myusername;
$_SESSION['ldap_pass]' = mypassword;

> I'm not real familiar with adldap but will any of the seamless auth options
> work ?
> (http://adldap.sourceforge.net/wiki/doku.php?id=seamless_authentication)

yea the trouble is that we arent in control of the webserver this would go on, its a web app only...  i need to try to do this without OS level requirements...
we could always turn off all authentication in my app, and force them to login to the webserver (if they are using IIS), but then we wont be able to deal with multiple access levels properly in my app.

> I would definitely try to not rely on obfuscation as most any attacker
> recognizes it and will decode it.

I agree, someone on another list suggested it only if you *had* to write to the session var.

> JP

so to clarify is using the session for this an ignorant idea? what are my options?

> -----Original Message-----
> From: owasp-alabama-bounces at lists.owasp.org
> [mailto:owasp-alabama-bounces at lists.owasp.org] On Behalf Of
> owasp-alabama at lists.owasp.org
> Sent: Tuesday, June 21, 2011 11:59 AM
> To: owasp-alabama at lists.owasp.org
> Subject: [Owasp-alabama] using SESSION Vars to store sensitive data...
> Ok all, here it goes...
> i have a large enterprise product im working on, it has been in production
> for some time...  they now want me to add LDAP (AD via LDAP) authentication
> support...
> - The app is PHP . . . ok ok lets keep the rhetoric down ;-)
> - It must run on any web server that supports PHP, and yes all functions
> should work from any hosted OS
> - Backend is Mysql, (but thats not really relevant...)
> Im using ADLDAP.php, seems to be fairly solid... --->
> http://adldap.sourceforge.net/
> i can authenticate fine from any hosted OS, all is great there...
> here's the problem..
> i often have to go back to the ldap server during the course of setup to get
> different values, to do this i need to re-authenticate with the LDAP server
> on every request... so this means the user could have to enter the
> credentials multiple times... that sucks...
> the only solution is to store the user / pass the first time they enter it
> somewhere, so i can grab it and resend to LDAP when i need it...  
> so where to store it?
> - i dont want to store them anywhere permanent of course
> - i only need it for the existing session
> - it really only important when the admin is changing stuff for users or
> ldap config.
> - i cant use a one way hash, cause i need to send it to another server... 
> - i could do some sort of obfuscation, but is that really secure? better
> than nothing?
> Options
> - Session Var certainly an option... but other than the obvious session file
> on the server are there other risks?
> - i could store it in the DB, but then thats seems more risky than the
> session because there are more points of access..
> - an obvious one is to pull all the data from LDAP on the first login and
> stuff that in a session, but on large LDAP it will slow user login time
> down... non-starter...
> of course regular session security needs to be optimal...
> IDEAS or COMMENTS?  I can handle flames as long as they are intelligent...
> :-)
> Chris
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1382 / Virus Database: 1513/3717 - Release Date: 06/21/11
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama

More information about the Owasp-alabama mailing list