Re: [SOGo] Session Cookie Obfuscator / Session management uniknsogosession
Would it be possible to use that to auth other webapps over SOGo? Like some kind of cheap SSO? On Thu, Nov 18, 2010 at 8:28 PM, Ben bugrepor...@vescentphotonics.com wrote: For those who don't want to store basic username:password as user cookie on the browser, we decided to publish the apache module we use here to anonymize the session cookie. It refers to request nr 000698, http://www.sogo.nu/bugs/view.php?id=698 The obfuscation/anonymization with user key is done by an apache module, it can be found here: http://southbrain.com/software/sogosession/ Be sure to read http://southbrain.com/software/sogosession/NOTICE before. I just want to give a shout-out and say thanks. I just upgraded to 1.3.4 and compiled and installed the apache module and it works great. Easy to setup. I've added a cron job to delete stale sessions after a timeout. Better security and the timeout is great as users often close the webmail tab (not browser) without logging off and before when that happens someone could go to the webmail url and access their mail. Any thoughts from the sogo team from including this in SOGo official? Ben -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Session Cookie Obfuscator / Session management uniknsogosession
For those who don't want to store basic username:password as user cookie on the browser, we decided to publish the apache module we use here to anonymize the session cookie. It refers to request nr 000698, http://www.sogo.nu/bugs/view.php?id=698 I am using 64 byte XOR keydata stored on the browser's cookie cache (and not in the session database) with which the username:password-data is crypted (XOR'ed) and stored in the session database. At any time this key sent by the browser is needed to get the real SOGo cookie to form a session. 64byte should be sufficient to outlength a normal SOGo cookie length - forming a perfect OTP algorithm (XOR keylength message length). The browser stores the session identifier and this 64 byte user key. Only the session identifier is stored in the session database. SOGo is a great product and we like it and also how it evolves and how requests are handled. We had a problem however to store passwords in the browser's cookie store when we cannot control the browser's environment (example: Internet site in Abidjan, Ivory Coast or Douala, Cameroon (where I sometimes reside). The obfuscation/anonymization with user key is done by an apache module, it can be found here: http://southbrain.com/software/sogosession/ Be sure to read http://southbrain.com/software/sogosession/NOTICE before. It needs at least Apache 2.0 module API so no chance to get it running with Apache 1.3.x. Have a nice monday evening. In Southern Germany it is raining and raining and everything is gray Pascal -- Pascal Gienger Jabber/XMPP/Mail: pascal.gien...@uni-konstanz.de University of Konstanz, IT Services Department (Rechenzentrum) Electronic Communications and Web Services Building V, Room V404, Phone +49 7531 88 5048, Fax +49 7531 88 3739 -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Session Cookie Obfuscator / Session management uniknsogosession
On 10-10-25 2:24 PM, Pascal Gienger wrote: For those who don't want to store basic username:password as user cookie on the browser, we decided to publish the apache module we use here to anonymize the session cookie. [snip] Thanks for this. What's the license of your code? If appropriate, we could integrate it directly in SOGo instead of relying on an Apache module. Regards, -- Ludovic Marcotte lmarco...@inverse.ca :: +1.514.755.3630 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Session Cookie Obfuscator / Session management uniknsogosession
If you integrate this into SOGo (which would be great -- I do not like the idea of even temp cookies having plaintext passwords), I have a feature request: session timeout. If someone leaves a connection idle for X minutes, session is no longer valid. If I understand how this patch is working, it shouldn't be hard to have postgres store the most recent access time and every X minutes remove stale sessions. Ben Am 25.10.10 21:47, schrieb Ludovic Marcotte: Thanks for this. What's the license of your code? If appropriate, we could integrate it directly in SOGo instead of relying on an Apache module. Consider it as public domain. I am not used to Objective-C, so I tried to set it up as an apache module. It is a workaround. And stil no direct password is stored on the server, this is what I wanted. -- users@sogo.nu https://inverse.ca/sogo/lists