[Owasp-alabama] using SESSION Vars to store sensitive data...

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Tue Jun 21 14:30:00 EDT 2011


Below

Chris Story



On Jun 21, 2011, at 12:54, owasp-alabama at lists.owasp.org wrote:

> Would it be possible to store the NTLM challenge result as opposed to the actual credentials?
> 

Assuming that I'm hosted on windows maybe, but one main issue is this needs to work from any os that is serving the php pages and any web server software.. Basically the only dependency is php..

> Storing the data in the session variables on the server side is not unheard of, but is certainly sub optimal, as you have eluded to.
> 
> If possible, can you revisit how the server retrieves the LDAP attributes? I'm simply suggesting that rather than find to a solution to a problem that shouldn't exist, lets remove the problem. So to speak.

Since I can't depend on the underlying os for authentication support, I need to do this at the php level, so allowing php to access the ldap server provides the "run anywhere" support I need.  The class I'm using authenticates then queries the directory, since the requests are coming from the user logged into my app and not the webserver service user (apache, www, iusr, whatever), it needs to re-authenticate on each query to maintain the context of that user and not risk cross authentication.

> 
> What I'm getting at is that storing LDAP attributes is much less risky than storing credentials. Typically, I would think that it would be reasonable to store what attributes you'll need on the first request, but you mentioned that would be slow. Why?
> 

On initial login I only grab email and group memberships from ldap.  In 95% of the use cases this is all I need, this works fine.  The issue is when an admin needs to configure or change something, we grab different items from ldap depending on the task. We would not want to grab the entire ldap just in case we might need something.  Some of our clients have ***massive*** ldap directories.

Example
Add in new group membership --> need all groups from ldap.  Even if I do a partial query I still need to auth.

Sites and services, locations, systems, domains... It gets ugly very fast..

They also will need to access multiple domains in one session so each domain needs to be authed..

What I think is ideal is to popup a login box to re-auth the first time you attempt to access a given domain, then "cache" those creds for later use.

Chris

All From my phone... Whew!


> 
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
> 
> http://www.owasp.org
> --
> "Si vis pacem, para bellum"
> --
> 
> 
> On Tue, Jun 21, 2011 at 11:58 AM, <owasp-alabama at lists.owasp.org> wrote:
> Ok all, here it goes...
> 
> i have a large enterprise product im working on, it has been in production for some time...  they now want me to add LDAP (AD via LDAP) authentication support...
> 
> - The app is PHP . . . ok ok lets keep the rhetoric down ;-)
> - It must run on any web server that supports PHP, and yes all functions should work from any hosted OS
> - Backend is Mysql, (but thats not really relevant...)
> 
> Im using ADLDAP.php, seems to be fairly solid... ---> http://adldap.sourceforge.net/
> 
> i can authenticate fine from any hosted OS, all is great there...
> 
> here's the problem..
> 
> i often have to go back to the ldap server during the course of setup to get different values, to do this i need to re-authenticate with the LDAP server on every request... so this means the user could have to enter the credentials multiple times... that sucks...
> 
> the only solution is to store the user / pass the first time they enter it somewhere, so i can grab it and resend to LDAP when i need it...
> 
> so where to store it?
> 
> - i dont want to store them anywhere permanent of course
> - i only need it for the existing session
> - it really only important when the admin is changing stuff for users or ldap config.
> - i cant use a one way hash, cause i need to send it to another server...
> - i could do some sort of obfuscation, but is that really secure? better than nothing?
> 
> Options
> - Session Var certainly an option... but other than the obvious session file on the server are there other risks?
> 
> - i could store it in the DB, but then thats seems more risky than the session because there are more points of access..
> 
> - an obvious one is to pull all the data from LDAP on the first login and stuff that in a session, but on large LDAP it will slow user login time down... non-starter...
> 
> of course regular session security needs to be optimal...
> 
> 
> IDEAS or COMMENTS?  I can handle flames as long as they are intelligent... :-)
> 
> Chris
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama
> 
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-alabama/attachments/20110621/ada6d541/attachment-0001.html 


More information about the Owasp-alabama mailing list