cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus <shadow...@gmail.com>
Subject Re: refresh browser - logged out from ACS ?
Date Wed, 27 May 2015 16:39:16 GMT
CC'd security@ ...

Yeah, we definitely want to involve as many people as we can from the
original change. Cookies and javascript variables are very different
things, cookies are available across tabs/windows (hence why the change
breaks auto-login via opening a new tab) and persist beyond the life of the
page load. Variables are not available across windows, and when you refresh
it's gone, unless you store it in a cookie or use the HTML5 local storage
API.

I think it's safe to say that, objectively speaking, putting something in a
JS variable is more secure than a cookie, but the real question is why
cookies weren't deemed "secure enough", and I have a hunch that there's a
specific answer to that which we'd want to find out before doing anything.
It looks like Min Chen and Rohit were involved in changing this code,
though I can't seem to tie it back to a specific CLOUDSTACK bug. I see
references to CS-18149 and CS-19734, but I don't know what those are and
the details on the commits are sparse.

On Wed, May 27, 2015 at 4:00 AM, Rafael Fonseca <rsafonseca@gmail.com>
wrote:

> Thank you Stephen, it's always nice to have some more people reviewing
> this, this just got started through looking at a broken feature, not a
> security issue. But if improving security will get the consensus for
> actually fixing what's broken, that's what I propose :-) two for one hehe
>
> Rafael
> On May 27, 2015 12:56 PM, "Stephen Turner" <Stephen.Turner@citrix.com>
> wrote:
>
> > I've got no specific view on your change, Rafael: I just think security
> > matters should be discussed on the security list. I'm copying this email
> to
> > them.
> >
> > --
> > Stephen Turner
> >
> >
> > -----Original Message-----
> > From: Rafael Fonseca [mailto:rsafonseca@gmail.com]
> > Sent: 27 May 2015 11:50
> > To: dev@cloudstack.apache.org
> > Subject: Re: refresh browser - logged out from ACS ?
> >
> > Well, if just 'discuss' an issue with a security team, it may do you no
> > good as they will not have all the answers without actually
> > testing/reviewing If you ask a security team if you should have a client
> > handled cookie with credentials they will immediately tell you it's not
> > wise to do so, but they will probably not guess that the same data is
> just
> > getting kept in a js variable or they would also advise against it.
> > I think that it's clear that my approach improves security and restores
> > functionality (just read a bit about handling sensitive data on js side
> and
> > have a quick look at my code in the PR) Although this does not propose to
> > be a magical security solution, it DOES improve on current security and
> > DOES restore a broken functionality.
> >
> > Feel free to move this to the security list, but ultimately all users
> > should be able to view the status in the PR.
> >
> >
> > On Wed, May 27, 2015 at 12:27 PM, Stephen Turner <
> > Stephen.Turner@citrix.com>
> > wrote:
> >
> > > I know for sure it was discussed with Citrix security team before
> > > changing it. Probably also on the ACS security list, but I'm not on
> that
> > list.
> > > Anyway, even if the security concern turns out to be illusory, we
> > > shouldn't change a claimed security fix without taking it back to the
> > security list.
> > >
> > > --
> > > Stephen Turner
> > >
> > >
> > > -----Original Message-----
> > > From: Rafael Fonseca [mailto:rsafonseca@gmail.com]
> > > Sent: 27 May 2015 11:16
> > > To: dev@cloudstack.apache.org
> > > Subject: Re: refresh browser - logged out from ACS ?
> > >
> > > This doesn't really do much for security, since the sessionKey is
> > > still available to JS in a window variable, so this mostly just breaks
> > > functionality and adds no value.
> > > This probably wasn't discusses with security experts before
> > > implementation, so this just breaks functionality period.
> > > My approach does indeed add some security (set a httponly cookie with
> > > the
> > > data) and restores session persistence.
> > >
> > >
> > >
> > > On Wed, May 27, 2015 at 11:50 AM, Stephen Turner <
> > > Stephen.Turner@citrix.com>
> > > wrote:
> > >
> > > > Is this being discussed on the security list? I think that's the
> > > > place for it, because I wouldn't want us to restore the old
> > > > behaviour without a proper audit from security experts.
> > > >
> > > > --
> > > > Stephen Turner
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Rafael Fonseca [mailto:rsafonseca@gmail.com]
> > > > Sent: 27 May 2015 10:39
> > > > To: dev@cloudstack.apache.org
> > > > Subject: Re: refresh browser - logged out from ACS ?
> > > >
> > > > Hi guys,
> > > >
> > > > I had a look at this issue yesterday and created a PR to fix it,
> > > > it's being discussed here
> > > > https://github.com/apache/cloudstack/pull/308
> > > > Since this seems to be a security related issue I will be updating
> > > > my PR soon with a secure fix :)
> > > >
> > > > On Wed, May 27, 2015 at 11:24 AM, Andrija Panic
> > > > <andrija.panic@gmail.com>
> > > > wrote:
> > > >
> > > > > its not the case with i.e. 4.3.2...its is the case with 4.4.3 and
> > > > > 4.5.1 at the moment...
> > > > >
> > > > > On 27 May 2015 at 11:20, Vadim Kimlaychuk
> > > > > <Vadim.Kimlaychuk@elion.ee>
> > > > > wrote:
> > > > >
> > > > > > Is it possible to fix? It seems such a behaviour was always
be
> > > > > > like
> > > > this.
> > > > > >
> > > > > > Vadim.
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Andrija Panic [mailto:andrija.panic@gmail.com]
> > > > > > Sent: Wednesday, May 27, 2015 12:17 PM
> > > > > > To: dev@cloudstack.apache.org
> > > > > > Subject: Re: refresh browser - logged out from ACS ?
> > > > > >
> > > > > > openign a new windows/tab with same address/URL also break
> > things...
> > > > > >
> > > > > >
> > > > > > On 27 May 2015 at 11:11, Stephen Turner
> > > > > > <Stephen.Turner@citrix.com>
> > > > > wrote:
> > > > > >
> > > > > > > Agreed, I thought it was on opening a new window (maybe
a new
> > > > > > > tab
> > > > > > > too?) rather than refresh. But maybe refresh broke too
as a
> > > > > > > side
> > > > > effect.
> > > > > > >
> > > > > > > --
> > > > > > > Stephen Turner
> > > > > > >
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: ilya [mailto:ilya.mailing.lists@gmail.com]
> > > > > > > Sent: 27 May 2015 04:28
> > > > > > > To: dev@cloudstack.apache.org
> > > > > > > Subject: Re: refresh browser - logged out from ACS ?
> > > > > > >
> > > > > > > But it was not refresh - to best of my recollection..
> > > > > > >
> > > > > > > On 5/26/15 8:27 PM, ilya wrote:
> > > > > > > > I vaguely recall Rohit mentioned it was some sort
of
> > > > > > > > security fix that was causing this side effect due
to the
> > > > > > > > way sessionids were
> > > > > > handled..
> > > > > > > >
> > > > > > > > On 5/26/15 8:15 AM, Andrija Panic wrote:
> > > > > > > >> Thx Rafael, as usuall :)
> > > > > > > >>
> > > > > > > >> I remember there was some thread on this topic,
but cant
> > > > > > > >> really find it...
> > > > > > > >>
> > > > > > > >> On 26 May 2015 at 17:14, Rafael Fonseca
> > > > > > > >> <rsafonseca@gmail.com>
> > > > > wrote:
> > > > > > > >>
> > > > > > > >>> Hi Andrija,
> > > > > > > >>>
> > > > > > > >>> I noticed the same is also happening on the
4.6.0-SNAPSHOT
> ..
> > > > > > > >>> it's a bit annoying.
> > > > > > > >>>
> > > > > > > >>> I'll have a closer look later today if i can
find the time
> > > > > > > >>> for it
> > > > > > > >>> :)
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>> On Tue, May 26, 2015 at 4:11 PM, Andrija Panic
> > > > > > > >>> <andrija.panic@gmail.com>
> > > > > > > >>> wrote:
> > > > > > > >>>
> > > > > > > >>>> Hi guys,
> > > > > > > >>>>
> > > > > > > >>>> just wondering - when I refresh browser/UI
I get logged
> > > > > > > >>>> out of ACS
> > > > > > > >>>> -
> > > > > > > >>> 4.4.3
> > > > > > > >>>> (testing with 4.5.1 in few minutes...).
> > > > > > > >>>>
> > > > > > > >>>> I remember there was some thread on this,
but can't
> > > > > > > >>>> really find it
> > > > > > > >>> anywhere
> > > > > > > >>>> This behaviour is not present in 4.3 and
prior AFAIK.
> > > > > > > >>>>
> > > > > > > >>>> Any tips ?
> > > > > > > >>>> --
> > > > > > > >>>>
> > > > > > > >>>> Andrija Panić
> > > > > > > >>>>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > >
> > > > > > Andrija Panić
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Andrija Panić
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message