Developers of Sympa

[Olivier Salaün - CRU <address@concealed>]

This topic was tackled by a user in our bug tracking system :

* Initial Observations:
Knowing the "sympauser" cookie is equivalent to knowing a user's password. If an attacker finds the value of the "sympauser" cookie he can load it into his browser and Sympa will not ask for a password. That in itself is not a problem.

* User's Expectations:
Users commonly expect that if their password is disclosed to an attacker, they have to change it. Since the attacker only knows the old password, not the new one, they are safe.

* How Sympa currently fails to meet that expectation:
The value of the sympauser cookie does not depend on the password (the shared secret), only on the email address. Thus even though the user has changed his password, the attacker can still access the useraccount, since Sympa will still accept the old sympauser cookie.
  

We are aware of this problem and there are a few other things we'd like to change in the authentication process in Sympa :

1) don't store the password in a reversible way in the database. This implies that we won't be able to remind it anymore. We'll provide a reset feature instead.

2) allow SSO systems allowing global logout to perform a logout for a user in Sympa


The solution for (2) and the request below is to maintain a list of active sessions on the server side (instead of having the sessions maintained on the client side only). This way sympa could reset a session anytime it is triggered :

    * user logout
    * user changes his password
    * trigerred by the listmaster

The session ID (the value of the HTTP cookie, also stored in the session DB) would be random, no semantics in it.


-- 
Olivier Salaün
Comité Réseau des Universités
-------------------------------------------
Validation signature / Trusting  signature: --> http://igc.cru.fr/trust.html
------------------------------------------- 

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature