Ticket #1041 (new defect)

Opened 13 years ago

Last modified 13 years ago

[S] Authkit cookie sets user's OpenID in plain text

Reported by: pjkersha Owned by: pjkersha
Priority: blocker Milestone: NDG3
Component: security Version:
Keywords: security Cc:


AuthKit used for the OpenID Relying Party implementation, sets cookies containing the user OpenID in plain text. This needs changing so that the cookie contains no security information and acts solely as an opaque handle to a server side session object.

Change History

comment:1 Changed 13 years ago by pjkersha

A ticket_class option enables an alternate cookie handling class to be used but the ticket parsing is handled by a module function authkit.authenticate.parse_ticket which therefore cannot be overridden.

Though the cookie is not encrypted it is signed and is limited to an IP as measures to prevent tampering.

The solution may be to add another AuthKit method entry point or refactor out AuthKit completely. Parking this issue to press on with PDP implementation.

Note: See TracTickets for help on using tickets.