Re: [phpwiki-checkins] CVS: phpwiki/lib WikiUserNew.php,NONE,1.1

On Friday, December 12, 2003, at 10:52  am, Joby Walker wrote:

> Carsten,
>
> This looks good, but as I read this you are storing the 
> username&password (in human readable form) in the contents of a cookie 
> on the end-user's machine. This seems quite bad to me.  SOP, for web 
> sites is to store a cookie with a unique id (UID).  The cookie id plus 
> some unique features of the client (IP, browser, time, etc) are then 
> checked by the server against it's session database and if verified 
> the user is logged in (very similar to Kerberos).  But by storing the 
> username & password in the cookie, it someone reads the cookie they 
> will have complete access to that account.
>
> A quick review of the cookies currently in my broswer shows:
>
> 1) UID's are primarily used -- especially with commercial sites.
> 2) Passwords are not stored in cookies.
> 3) Userid's, if used instead of a UID, are encrypted.
> 4) Very little data is in human readable form -- and none of it is 
> critical info.
>
> If I am mistaken about what you are storing in the cookie ... then 
> ignore.  But I am quite worried about this development.
>
> On a better note the classes look good.  Having different classes with 
> common methods will be very helpful for the future of phpwiki.
>
> jbw
>
> Carsten Klapp wrote:
>
> > Update of /cvsroot/phpwiki/phpwiki/lib
> > In directory sc8-pr-cvs1:/tmp/cvs-serv19754
> > Added Files:
> >         WikiUserNew.php Log Message:
> > Complete rewrite of WikiUser.php.


Hi Joby,

Thank you for the feedback, I always appreciate it! I finally got my 
own wiki up and running again (see 
http://phpwiki.sourceforge.net/phpwiki/KnownBugs, search for 
OldTextFormattingRules) so the good news is I'll be able to do 
extensive testing on the WikiUserNew stuff before deploying it into 
PhpWiki CVS.

Rest assured, it's always been my intention to make sure the password 
will be stored encrypted, whether in a cookie or within the homepage, 
so long as the PHP module is compiled to allow the function crypt(). 
I'm sure the WikiUserNew.php doesn't completely reflect all this yet in 
its current state, but I'll make sure it does in upcoming versions. :)

As far as storing the password itself (encrypted or not) within a 
cookie for auto-login, I'm not too concerned at the moment, especially 
about encrypting WikiUserIds. As Reini said, "it's only a wiki." It's 
pretty commonly known that UserIds on a wiki are just the UserName.

But if a user were to enable (the upcoming feature) "auto-login", I 
believe for now it should be sufficient enough upon enabling AutoLogin 
to just give the user a quick reminder message that, "anyone could 
potentially log in from that machine when auto-login is enabled" or 
something similar. (Joby, please do remind me later if I somehow forget 
to do this(:). Once banks or other financial institutions decide to 
start using PhpWiki ;) there's no reason why we can't (hopefully, be 
paid to) revisit the code. In that case those sites would definitely be 
using TSL/SSL too; not that it would *completely* alleviate the need 
for internally encrypted passwords but it makes coding some other 
things a little easier.

So rereading your message, I think it would indeed be best to continue 
to use the PHPSESSION cookie stuff wherever possible as you suggest, 
like PhpWiki 1.3.6/7pre currently does, to keep the cookie-passing to a 
minimum until such time as a user actually changes and saves his/her 
UserPreferences. Where the prefs & passwd are stored of course will 
depend on the type of user (AnonUser, BogoUser, PassUser, AdminUser, 
etc.) A little more work to the new code will be needed for all that 
but I think that's the way I'm going to go. And as the NewWikiUser code 
evolves too please continue to let me know if there's anything that 
might need changing or more thought.

Since we're talking about security here, naturally any follow-ups or 
concerns are welcome from anyone: I don't mean to imply 
IKnowEverything/ISeeAll here...

Cheers,
Carsten



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/