Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

caching and partitioning of user credentials

Russ Allbery eagle at windlord.stanford.edu
Mon Jul 12 10:51:56 PDT 2010


John DeStefano <john.destefano at gmail.com> writes:

> Don't know whether this is expected behavior and a configuration error
> on my part, or a possible problem: after enabling memory caching for
> static objects (images, CSS, certain scripts), we found that certain
> users' login sessions were being "hijacked" by other users, i.e., a user
> browsing an authenticated site would suddenly and unwittingly assume the
> identity of another logged-in user (usually one with an account of
> higher privilege).

What memory caching method are you using and how did you enable it?  It
sounds like your memory caching method is not aware of either dynamic
content or different authentication cookies for different users and hence
is just handing out whatever page it last cached even though the
authentication context of the user has changed.

> In the module documentation, I see several cache-related WebAuth
> directives (likely 'WebAuthUseCreds','WebAuthCredCacheDir', etc.), but
> it's unclear to me how to configure Apache to carry a user's valid
> credentials throughout a session ... but so that they are partitioned
> properly and safely from other users.  This directive would likely need
> to be set on our Kerberos/Webauth server,

Actually, I don't think so.  I don't think this problem has anything to do
with either Kerberos or WebAuth, and none of the WebAuth directives are
relevant here.  I think it's a problem with your caching method.

WebAuth is fairly normal for web authentication systems in using cookies
for authentication.  The caching system, provided that it's designed to
deal with authenticated content at all, should have some mechanism in
place to recognize that a particular cookie is an authentication cookie
and invalidate pages when that cookie changes.

WebAuth already carries a user's valid credentials through a session but
keeps them partitioned from all other users.  It does this by storing a
cookie in the user's browser and checking that cookie on every request.
Of course, in order to do that, every request has to go through the
WebAuth module so that the check can be performed.  If you enable caching
in a way that means that's not happening, you have to be very careful that
you never cache a URL that varies based on whether the user is
authenticated.

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University



More information about the webauth-info mailing list