Page 1 of 1

Access Control Theory

Posted: Wed Jul 14, 2004 1:45 am
by AGISB
I am trying to secure a members section. I am thinking to combine http-authentication with custom mysql session handling.
I was thinking follwoing would work but I am not sure if there can be any problem.

Image

The session vars would be saved in a Mysql database including IP, Hostname, Timestamp etc. A garbage routine would go over this table every 15 min to delete the expired session entries.

Does any of you have an idea how I can solve the AOL proxy problem? In my model an AOL user would have to authenticate every time he clicks a link and his IP changed.

Thanks

Andy

Posted: Wed Jul 14, 2004 2:10 am
by feyd
why not, have a valid session, and whatnot.. you bypass the other junk?

Posted: Wed Jul 14, 2004 3:33 am
by AGISB
I was thinking that if a user has cookies disabled I still have the user/Ip/Host check to logout someone that uses an open browser of e.g. coworker.

The members section will be completly in SSL. It does not generate much bandwidth but the data is sensible.

If a user for example logs in at a public Internet terminal that has cookies disabled and the browser stays open the http-authentification will let anybody on that uses the history to access this section.
If I check against a database that also has the username, ip, even if the session_id is useless (due to the disabled cookies) I can still disable the access after a short period.

Posted: Wed Jul 14, 2004 3:38 am
by feyd
session id can be passed around without cookies..

Since you have a session garbage collector already, that would clear a large amount of coworkers getting into stuff.. (as long as your time-to-live is somewhat short)

Posted: Wed Jul 14, 2004 3:44 am
by AGISB
But this means the session_id is in the URL. Wouldn't that mean a bigger security risk?

Posted: Wed Jul 14, 2004 3:46 am
by AGISB
I might add, that I need an IP check anyhow to check for multiple logins with the same password.

Posted: Wed Jul 14, 2004 3:47 am
by feyd
the cookie data is passed on every call, that's pretty much the same often..

Posted: Wed Jul 14, 2004 12:50 pm
by McGruff
AGISB wrote:But this means the session_id is in the URL. Wouldn't that mean a bigger security risk?
Yes - but that might be acceptable depending on how high your security needs are.

As you have mentioned, you can't use IP to identify a user. You can however use sessions. If a session already exists for a particular user profile you can prevent someone else logging in with the same password at the same time. A custom session handler makes that easier - a quick db check.

Mind you, if someone else does have the password, there's nothing to stop them logging in later when the valid user has logged off. If you managed to identify a compromised password, privileges should be removed from that profile until the valid user has registered a new pass.

Posted: Wed Jul 14, 2004 4:35 pm
by hawleyjr
AGISB wrote:I was thinking that if a user has cookies disabled I still have the user/Ip/Host check to logout someone that uses an open browser of e.g. coworker.
A lot of companies use a singel IP address on their PROXY displaying the same IP regardless of the user.

Therefore, this wouldn't do you much good.