auth cookie to hide auth token #1419
Comments
|
Agreed. Instead of recording and checking token_auth, we could record md5( $token_auth, $login) and check that for this value in the code. Stealing this hash would not allow anything bad. This would be a small change. |
|
Should we also consider adding a "Remember me" checkbox to the Login form? |
|
I don't think the checkbox is necessary, most people would want to login for days, if not they can just log out :) |
|
Replying to matt:
I think in the business section, safety is very important. So the decision, if I will be kept logged in should be assured by checking the checkbox as tracking data could be seen as personal data. Imagine the usecases:
In all cases, piwik should log out with a reasonable timout. |
|
we could add it for sure, checked by default. Current expiration is 30 days, probably too much... |
|
The Miller and Jaspan recommendations are intended to narrow the window of opportunity for cookie theft. If an attacker somehow steals your cookie through XSS or CRSF, then they've stolen a valid cookie, not an invalidated one. The idea is that you would receive a warning if you tried to login with an invalidated cookie (i.e., the attacker has already logged in using the stolen cookie). Neither recommendation addresses the use cases in comment:6. Let's say I implement the Jaspan recommendation. If I login using PC1, the persistent cookie on PC1 is valid until I either explicitly logout or form login (thus, invalidating the previous cookie). And because both recommendations are intended to work from multiple PCs, if I login using PC2, I get a new persistent cookie. However, the persistent cookie on PC1 remains valid, so someone using PC1 can auto-login from PC1, and I would not receive a warning on PC2. (Hence the recommendation to provide a means to invalidate all your persistent cookies.) The idea that an auto-login should have reduced privileges is interesting, but not beneficial in Piwik's context since token_auth is pervasive and easy to grab once logged in. The REST API can't tell from the request how the caller obtained token_auth. |
|
(In [2901]) refs #1419 - add 'Remember Me' to Login form; unchecked by default (which is safe by default); small change to core/Cookie.php to allow cookie to expire at end-of-session; shorten persistent cookie life to 14 days Note: potential compat buster: logme() cookie is no longer persistent |
|
(In [2902]) refs #1419 - set cookie to expire at end-of-session if user record is changed |
|
(In [3023]) refs #1419 - tests for hashed token |
|
Reopening, in current piwik version the cookie contains the token_auth, which we'd like to avoid and looks like is a regression? We must ensure token_auth is not leaked or stored in the browser cache in any way... See #3359 The goal of this ticket is to check why token_auth is in the auth cookie, and change code to hide the token before storing in cookie. Old style cookies will result in logout and force user to re-login (when upgrading). |
|
@capedfuzz @vipsoft what are your thoughts on the ideal quick & perfect fix for this matter, ie. remove token_auth from cookie? |
|
Removing token_auth from the cookie is a good first step but doesn't mitigate the risk of cookie theft (that's what the Miller and Jaspan recommendations are about). |
|
I don't think we can easily change this. afaik the cookie stores the token's hash not the token itself. Please reopen if you have an idea or suggestion of code change! |
|
see Session not invalidated after logout #6531 |
If I'm not mistaken, the token_auth is stored in the piwik_auth cookie.
This mechanism is well known for a number of vulnerabilities.
[http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/]
[http://jaspan.com/improved_persistent_login_cookie_best_practice]
The auto-login should be rewritten using one of those best practices.
The text was updated successfully, but these errors were encountered: