Quote from: OpenGeek at May 07, 2006, 11:39 PM
If someone could research and contribute a secure and flexible cookie-based authentication scheme to implement with MODx, that would be great. This is simply a limitation of the original authentication code which is completely dependent on the server session settings, and no one has yet addressed.
I have re-read this thread a couple of times, and i guess I don`t understand what you`re asking for here.
What`s not secure or flexible about the current modx session support? Isn`t it a good thing that the sessions are based on "standard PHP" servers session settings?
My understanding is this: When you log into modx, the server generates a random session key and puts it in a cookie that is sent to the browser. Each time the browser makes a request, it sends the cookie (with the random session key) to the server. The server looks-up/stores data associated with the random session in a file (or in the DB if you use my script).
So here are what I see as security issues:
1) It seems difficult for anyone to guess the random session key of another user. Assuming they’re really random.
2) All the session data is stored in the server, not in the cookie. So looking at the cookies in the browser cache isn’t a security hole.
3) On a shared server, all the session information is in a common directory (as long as you use the defaults). In this case, other users of the shared server could look in the files in that common directory and see session info. It seems that changing settings to store the cookies in the DB solves this nicely.
4) The server timeout (for security reasons) can be configurable. In regular MODX you have to change PHP_INI. In my script, you can just set a constant (or read it from DB or whatever). When it does timeout, the session ENDS. This is a good thing. It makes it hard for someone to walk up to a browser that has just been closed (in a hotel or internet cafe) and reuse the session. UNLESS THE SESSION IS REALLY LONG.
To address #4, it sounds as if (at least one person) asked for: Allow short sessions (to address the internet cafe issue), but keep the connectoin alive via periodic AJAX "pings" until the user closes the browser. Then since there are no more pings, the server session would soon timeout. I guess this is because the onClose event is unreliable (at least on safari).
What other configuration and flexibility do you have in mind? What do we need to add here?
-- Jorge.