Hi Karim,
thanks for the response.
I am unsure if I have a vote, but if so: +1 for removing
mb_user_password from the users session and changing/removing all
modules which depend on that.
What do others think?
I am far to unfamiliar with the way mapbender wants to go but remember
faintly, that 3.0 was supposed to only have a minimal set of
functionality. So changing or removing modules not working without the
mb_user_password in the session should be IMO OK.
Regards,
Marc
On 21.05.2010 14:11, Karim Malhas wrote:
Hi Marc,
is it true that we currently are storing the supplied credentials of a
user in a readable form within the session? If so, why exactly are we
doing that?
You mean this in conf/session.conf:
Mapbender::session()->set("mb_user_password",$password);
?
...
I grepped for 'mb_user_password' and found 5 places where the password
is taken from the session:
mod_insertKmlIntoDb.php which seems to be unused (it references the
none-existant mb_meetingpoint table
javascripts/mod_home.php where the password is used to construct a
kind of auto-login, I don't think that's a good idea
javascripts/mod_saveWmcKml.php is this also obsolete?
php/mod_meetingPoint.php and this?
php/mod_editElements.php I didn't take the time to figure out why, but
it opens a new window with the login-frame to also perform a kind of
auto-login. I don't see why this is neccessary, we already have a
Session, so no need for this
May I propose we kick mb_user_password from the session asap?
Or were you talking about something else?
As I am storing my session data within a database, I see me faced with
major security or data privacy issues. Am I exaggerating and paranoid or
is this a structural flaw?
I don't think you are exaggerating, passwords don't belong in the Sessionstore.
Regards,
Karim
_______________________________________________
Mapbender_dev mailing list
[email protected]
http://lists.osgeo.org/mailman/listinfo/mapbender_dev
--
.................................................................
Im April erschienen:
OpenLayers - Webentwicklung mit dynamischen Karten und Geodaten
von M. Jansen und T. Adams, OpenSourcePress, München.
ISBN: 978-3-937514-92-5
URL: http://openlayers-buch.de
.................................................................
Dipl.-Geogr. Marc Jansen
- Anwendungsentwickler -
terrestris GmbH& Co. KG
Irmintrudisstraße 17
53111 Bonn
Tel: ++49 (0)228 / 96 28 99 -53
Fax: ++49 (0)228 / 96 28 99 -57
Email: [email protected]
Web: http://www.terrestris.de
Amtsgericht Bonn, HRA 6835
Komplementärin: terrestris Verwaltungsgesellschaft mbH
vertreten durch: Hinrich Paulsen, Till Adams
_______________________________________________
Mapbender_dev mailing list
[email protected]
http://lists.osgeo.org/mailman/listinfo/mapbender_dev
