Ticket #424 (closed task: fixed)

Opened 13 years ago

Last modified 12 years ago

[S] returnURI in cross domain credentials transfer needs https

Reported by: pjkersha Owned by: pjkersha
Priority: required Milestone: PROD Step2
Component: security Version:
Keywords: security, cross domain cookie Cc:

Description

When the Browse CGI redirects to the loginURI for the user it should specify a returnURI that uses https otherwise when the login page returns the cookie credentials to browse CGI they could be read by a 3rd party in transit.

Phil's SecurityCGI class should maybe also do a sanity check on the returnURI passed to it to ensure https has been specified.

Change History

comment:1 Changed 13 years ago by lawrence

  • Milestone changed from BETA to BETA+Security

comment:2 follow-up: ↓ 3 Changed 12 years ago by lawrence

  • Owner changed from lawrence to pjkersha

Do we really need to do this, if the cookie contents are encrypted in their own right?

comment:3 in reply to: ↑ 2 Changed 12 years ago by pjkersha

  • Status changed from new to assigned

Replying to lawrence:

Do we really need to do this, if the cookie contents are encrypted in their own right?

Yes we do :) - the cookie content (sessID, userDN + SessMgr? URI) is passed over the interface but not the cookie itself. The cookie is specific to each site and only a site can read its own cookie since only it has access to the private key needed to decrypt it.

comment:4 Changed 12 years ago by pjkersha

  • Status changed from assigned to closed
  • Resolution set to fixed

See #366

Note: See TracTickets for help on using tickets.