Ticket #128 (closed issue: fixed)

Opened 13 years ago

Last modified 12 years ago

[s] Consider modifying the NDG security cookie

Reported by: lawrence Owned by: pjkersha
Priority: desirable Milestone: BETA+Security
Component: security Version:
Keywords: Cc: astephen, lawrence

Description

Currently the NDG security cookie seems to be set as two cookies, and it might be tidier (and easier in other code to consider moving to one cookie with the two values part of that), ie, a cookie of the form 'ndgSecurity' rather than 'NDG-ID1' and 'NDG-ID2'

Change History

comment:1 Changed 12 years ago by lawrence

  • Milestone changed from BETA to BETA+Security

comment:2 Changed 12 years ago by pjkersha

  • Status changed from new to closed
  • Resolution set to fixed

The new session cookie class ndg.security.common.SessionCookie?.SessionCookie? combines the cookies into one. This contains the user sessID, user DN and session manager URI concatenated and encrypted using the web servers public key. The web server can now 'see' which session manager to call so there is no need to have the concept of a local session manager proxying for a remote one and forwarding requests.

Pylons has a facility for encrypting cookies so we may be able to use this instead.

Note: See TracTickets for help on using tickets.