[Owasp-alabama] using SESSION Vars to store sensitive data...

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Tue Jun 21 16:09:36 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jun 21, 2011, at 2:59 PM, owasp-alabama at lists.owasp.org wrote:

> 
> 
> 
> On Jun 21, 2011, at 2:24 PM, owasp-alabama at lists.owasp.org wrote:
> 
>> Awesome. I think I see the big picture.
>> 
>> I have this EXACT issue with one of my internal PHP applications. Oddly enough, this application has the same requirement as yours. It's authentication system is based on AD, but is platform independent.
>> 
>> We use a service account that has full read access to the AD tree. Any non authentication requests, such as object attribute queries, use that account.
>> 
>> So if I log in as administrator, and want to create a new user in the application, the app does a tree query to see if the user account exists in AD using the service account, not the account of the administrator. Access to these calls are restricted to users who carry the proper group membership. 
>> 
>> Another great thing about this, is that we can tightly control the access of the service account, IE no write permissions to the AD tree. Also, there are some cases when non admin users of the application might have a legit need to access an AD object attribute, and this system allows them to do it. (think delegation of group permissions inside the app)

This is a good way to solve this problem. Good thoughts Brad. 

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851 
"Moments of sorrow are moments of sobriety"











-----BEGIN PGP SIGNATURE-----

iD8DBQFOAPqAlZy1vkUrR4MRAhI5AKCj0gHLFguGNh7vayi7cluYAxIoegCgoc95
MmXWJzfqyh5d+gke69NsnNw=
=kTKP
-----END PGP SIGNATURE-----


More information about the Owasp-alabama mailing list