LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Should web developers say no to cookie-based authentication?

March 24, 2010

This article was contributed by Nathan Willis

Timothy D. Morgan of Virtual Security Research (VSR) has written a paper proposing a system for web applications to authenticate users that offers significantly better security than the common practice of storing session IDs in cookies. Morgan's proposal is based on the existing (but seldom-used) HTTP Digest Access Authentication method, so it could be implemented with very little effort in existing web browsers and web servers. He argues that digest authentication's lack of popularity is primarily due to inflexible implementations that web developers find inconvenient compared to the simplicity of using cookies, and suggests some changes that could make it more appealing.

The paper, "Weaning the Web off of Session Cookies: Making Digest Authentication Viable," is available as a PDF from the VSR web site. Morgan begins by outlining the established security problems with using cookies to store session IDs on the user's web browser. In a typical scheme, a user authenticates to a web application via a username/password combination entered through an HTML form, after which a session key is sent back to the user's browser and stored in a cookie, the value of which is either generated pseudorandomly or is some value that is encrypted server-side.

Even if the communication channel uses SSL/TLS, however, there are security problems with this approach. The pseudorandom number generator may be predictable or the encryption algorithm insecure, allowing an attacker to spoof the session. Worse, such session IDs can be exposed in URLs, and captured in referrer logs, proxy logs, and browser histories. In addition, many popular web application frameworks set a session cookie before requiring login, then subsequently "upgrade" the session to an authenticated state after redirecting the user to a login page — but using the same cookie. An attacker can hijack such a session simply by visiting the HTTP site before the login takes place and recording the session ID.

Morgan also points out several flaws with cookie-based session IDs at the protocol level. First, a cookie originally sent on HTTPS will also be sent over HTTP on subsequent requests, unless the web developer takes the proactive step of setting the "secure" flag on the cookie, which few application frameworks do. Second, by default stored cookies are available to client-side JavaScript, making them vulnerable to theft via cross-site-scripting attacks. Internet Explorer and Firefox both feature an "HttpOnly" cookie flag to block this behavior, but other browsers do not, and few session-management frameworks have adopted it. Failure to automatically time-out sessions and poorly-implemented single sign-on (SSO) methods also make many cookie-based session management schemes vulnerable.

Digest

Morgan then explains the basics of HTTP Digest Authentication, which was introduced with HTTP 1.1 in RFC 2069, and updated in RFC 2617. Digest authentication is an improvement over HTTP Basic Access Authentication, which simply encodes the username/password combination in base64 and transmits it to the server in plaintext.

Digest authentication is significantly more secure, because it computes a cryptographic hash based on the username, password, HTTP authentication realm, a server-provided nonce, the URI requested, the request method and (optionally) the request body. The RFC 2617 revision also includes a nonce count and a client nonce to further protect the integrity of the request.

The primary reason that digest authentication is not popular with web developers, Morgan says, is that it does not integrate into application and site design. All major web browsers implement HTTP basic and digest authentication in the same way, by launching a generic, modal pop-up window prompting the user for his or her username and password. The pop-up cannot be integrated into page design, nor customized, which makes it unappealing to developers. In addition to that, when using digest authentication there is no established method for the application to log the user out (which is a security risk of its own).

Finally, the current version of HTTP digest authentication specifies the MD5 hash algorithm, which is known to be vulnerable to preimage computation — although using the RFC 2617 mode makes such an attack impractical by incorporating the client-side nonce in its response.

The proposed improvements

Morgan suggests three methods to make digest authentication more accessible — and thus, useful — to web application developers.

The first is to use AJAX to take a username/password combination from an HTML form and generate the HTTP digest authentication request, which preserves the developer's ability to customize and control the login page. Making this method work seamlessly, however, would require a change to the way application respond if the username/password fails. Most web servers send a 401 error code, which causes today's browsers to automatically open a pop-up window; thus negating the work to integrate the authentication into the page. If the server returned a different error code, however, that problem could be avoided.

More difficult is how to provide a system with which the application can trigger a logout. Morgan observes that when most popular browsers receive the 401 Unauthorized error code, they immediately launch the authentication pop-up window, regardless of whether the user was already logged into the site. But this behavior is not specified in the HTTP standard; if browsers simply checked for existing credentials in the cache, a 401 could be used to trigger a logout in the event that the user is logged in, and prompt for credentials if the user is not logged in.

He also suggests another solution, a new HTTP header called "Authentication-Control" that could be used to terminate a session from the web server.

Practical problems

The paper outlines several practical problems that would come with attempting to migrate to digest authentication for session management. To begin with, digest authentication is so rarely used that its implementation in popular web servers and web browsers is immature. Just as bad, today's browsers have weak, bare-bones user interfaces for HTTP authentication. Password managers do not differentiate between credentials stored for HTTP sites and those stored for HTTPS, making man-in-the-middle attacks possible.

The authentication pop-up windows are also sparse in their presentation, offering confusing messages that make phishing attacks possible. Morgan shows example windows from Internet Explorer, Firefox, Safari and Opera, in which the "realm" value sent in the authentication request is used to display an intentionally-misleading message to the user.

Finally, Morgan notes, because application developers have relied on cookie-based session management for several years, they have become accustomed to the application framework handling session management. Switching to digest authentication would mean relying on the web server to manage the session authentication, and that change could meet with resistance.

Reaction

Morgan posted news of the paper to Bugtraq, Full Disclosure, and several other security mailing lists in January. Reaction was mixed; while most agreed with the technical arguments, some thought that the paper did not explain how important web application functionality — namely SSO — could be made to work with digest authentication. The strongest disagreements, however, came from those who argued that the amount of coding and refactoring required to change web application frameworks' authentication systems make the entire argument moot.

The proposal did receive a friendlier reception in mozilla.dev.security, however, where Mozilla's Dan Veditz pointed out similar work on improving web authentication going on at Mozilla Labs.

Will web developers be weaned off of their cookie addiction? Presumably that hinges on whether the popular application frameworks undertake the task of replacing cookies as a session-tracking tool. Morgan argues in the paper that because cookies are widely used for many general-purpose tasks, asking them to correctly implement secure authentication is a losing battle: other concerns, from marketing to SSO, will always be more popular, and get the lion's share of developer attention. But it is interesting to note that an almost-complete, more secure solution already exists in the standards. Perhaps decoupling authentication and cookies would be a quicker process than the naysayers believe.

Comments (13 posted)

Brief items

Blaze: The Spy in the Middle

Matt Blaze looks at the business of SSL man-in-the-middle attacks. "A paper published today by Chris Soghoian and Sid Stamm suggests that the threat may be far more practical than previously thought. They found turnkey surveillance products, marketed and sold to law enforcement and intelligence agencies in the US and foreign countries, designed to collect encrypted SSL traffic based on forged 'look-alike' certificates obtained from cooperative certificate authorities. The products, available only to government agencies, appear sophisticated, mature, and mass-produced, suggesting that 'certified man-in-the-middle' web surveillance is at least commonplace and widespread enough to support an active vendor community."

Comments (30 posted)

New vulnerabilities

asterisk: denial of service

Package(s):asterisk CVE #(s):CVE-2010-0441
Created:March 23, 2010 Updated:April 1, 2010
Description: From the CVE entry:

Asterisk Open Source 1.6.0.x before 1.6.0.22, 1.6.1.x before 1.6.1.14, and 1.6.2.x before 1.6.2.2, and Business Edition C.3 before C.3.3.2, allows remote attackers to cause a denial of service (daemon crash) via an SIP T.38 negotiation with an SDP FaxMaxDatagram field that is (1) missing, (2) modified to contain a negative number, or (3) modified to contain a large number.

Alerts:
Fedora FEDORA-2010-3381 2010-03-03
Fedora FEDORA-2010-3724 2010-03-06

Comments (none posted)

curl: denial of service

Package(s):curl CVE #(s):CVE-2010-0734
Created:March 22, 2010 Updated:March 6, 2012
Description: From the Mandriva advisory:

content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.

Alerts:
Ubuntu USN-1158-1 2011-06-24
rPath rPSA-2010-0072-1 2010-10-27
CentOS CESA-2010:0329 2010-04-06
CentOS CESA-2010:0329 2010-04-06
Red Hat RHSA-2010:0329-01 2010-03-30
Red Hat RHSA-2010:0273-05 2010-03-30
Pardus 2010-43 2010-03-29
Debian DSA-2023-1 2010-03-28
Mandriva MDVSA-2010:062 2010-03-19
Gentoo 201203-02 2012-03-05

Comments (none posted)

glpi: cross-site scripting

Package(s):glpi CVE #(s):
Created:March 24, 2010 Updated:March 24, 2010
Description: GLPI suffers from a mysterious cross-site scripting problem in the embedded phpCAS library.
Alerts:
Fedora FEDORA-2010-5106 2010-03-23
Fedora FEDORA-2010-5188 2010-03-23

Comments (none posted)

ikiwiki: cross-site scripting

Package(s):ikiwiki CVE #(s):
Created:March 22, 2010 Updated:March 24, 2010
Description: From the Debian advisory:

Ivan Shmakov discovered that the htmlscrubber component of ikwiki, a wiki compiler, performs insufficient input sanitization on data:image/svg+xml URIs. As these can contain script code this can be used by an attacker to conduct cross-site scripting attacks.

Alerts:
Debian DSA-2020-1 2010-03-20

Comments (none posted)

krb5: denial of service

Package(s):krb5 CVE #(s):CVE-2010-0628
Created:March 24, 2010 Updated:March 30, 2010
Description: From the Ubuntu advisory: Nalin Dahyabhai, Jan iankko Lieskovsky, and Zbysek Mraz discovered that Kerberos did not correctly handle certain GSS packets. An unauthenticated remote attacker could send specially crafted traffic that would cause services using GSS-API to crash, leading to a denial of service.
Alerts:
SuSE SUSE-SR:2010:007 2010-03-30
Fedora FEDORA-2010-4677 2010-03-16
Ubuntu USN-916-1 2010-03-23

Comments (none posted)

mediawiki: information disclosure

Package(s):mediawiki CVE #(s):
Created:March 24, 2010 Updated:March 24, 2010
Description: Mediawiki suffers from a couple of information disclosure vulnerabilities. Editors are allowed to display external images on web pages, making browser information available on the image server. An insufficient permission check allows restricted image files to be viewed more widely than intended.
Alerts:
Debian DSA-2022-1 2010-03-23

Comments (none posted)

php5: denial of service

Package(s):php5 CVE #(s):CVE-2010-0397
Created:March 19, 2010 Updated:December 2, 2010
Description: From the Debian advisory:

Auke van Slooten discovered that PHP 5, an hypertext preprocessor, crashes (because of a NULL pointer dereference) when processing invalid XML-RPC requests.

Alerts:
CentOS CESA-2010:0919 2010-12-01
CentOS CESA-2010:0919 2010-11-30
Red Hat RHSA-2010:0919-01 2010-11-29
SUSE SUSE-SR:2010:017 2010-09-21
Ubuntu USN-989-1 2010-09-20
openSUSE openSUSE-SU-2010:0599-1 2010-09-10
Fedora FEDORA-2010-11428 2010-07-27
Fedora FEDORA-2010-11481 2010-07-27
Fedora FEDORA-2010-11428 2010-07-27
Fedora FEDORA-2010-11481 2010-07-27
Fedora FEDORA-2010-11428 2010-07-27
Fedora FEDORA-2010-11481 2010-07-27
Pardus 2010-104 2010-08-09
Mandriva MDVSA-2010:140 2010-07-27
Mandriva MDVSA-2010:139 2010-07-27
SuSE SUSE-SR:2010:012 2010-05-25
SuSE SUSE-SR:2010:013 2010-06-14
Pardus 2010-44 2010-03-29
Mandriva MDVSA-2010:068 2010-03-27
Debian DSA-2018-1 2010-03-18

Comments (none posted)

puppet: temporary file vulnerability

Package(s):puppet CVE #(s):CVE-2009-3564
Created:March 24, 2010 Updated:March 24, 2010
Description: Puppet contains a temporary file vulnerability which can be exploited by a local user to overwrite arbitrary files.
Alerts:
Ubuntu USN-917-1 2010-03-24
Gentoo 201203-03 2012-03-05

Comments (none posted)

qt: multiple vulnerabilities

Package(s):qt CVE #(s):CVE-2010-0046 CVE-2010-0049 CVE-2010-0050 CVE-2010-0051 CVE-2010-0651 CVE-2010-0052 CVE-2010-0054 CVE-2010-0047 CVE-2010-0048 CVE-2010-0053
Created:March 23, 2010 Updated:March 27, 2012
Description: From the Fedora advisory:

This update fixes several WebKit security issues: * CVE-2010-0046: CSS format() argument memory corruption * CVE-2010-0049: Use of free()d line boxes in mixed LTR/RTL text * CVE-2010-0050: Crash at HTMLParser after handling misnested style tags * CVE-2010-0051 (CVE-2010-0651): Remote information disclosure * CVE-2010-0052: Cached page can result in accessing a destroyed HTMLInputElement * CVE-2010-0054: Use of stale HTMLImageElement pointer.

Alerts:
Fedora FEDORA-2011-16151 2011-11-19
Mandriva MDVSA-2011:039 2011-03-02
SUSE SUSE-SR:2011:002 2011-01-25
openSUSE openSUSE-SU-2011:0024-1 2011-01-12
Fedora FEDORA-2010-8379 2010-05-11
Fedora FEDORA-2010-8360 2010-05-11
Fedora FEDORA-2010-4524 2010-03-15
Fedora FEDORA-2010-4518 2010-03-15
Fedora FEDORA-2012-3483 2012-03-26

Comments (none posted)

samba: symbolic link vulnerability

Package(s):samba CVE #(s):CVE-2010-0926
Created:March 24, 2010 Updated:February 21, 2012
Description: From the Ubuntu advisory: It was discovered the Samba handled symlinks in an unexpected way when both "wide links" and "UNIX extensions" were enabled, which is the default. A remote attacker could create symlinks and access arbitrary files from the server.
Alerts:
SUSE SUSE-SR:2010:014 2010-08-02
SuSE SUSE-SR:2010:008 2010-04-07
SuSE SUSE-SR:2010:007 2010-03-30
Ubuntu USN-918-1 2010-03-24
Red Hat RHSA-2012:0313-03 2012-02-21
Oracle ELSA-2012-0313 2012-03-07

Comments (none posted)

spamass-milter: arbitrary shell execution

Package(s):spamass-milter CVE #(s):
Created:March 22, 2010 Updated:March 24, 2010
Description: From the Debian advisory:

It was discovered a missing input sanitization in spamass-milter, a milter used to filter mail through spamassassin. This allows a remote attacker to inject and execute arbitrary shell commands.

Alerts:
Debian DSA-2021-1 2010-03-22

Comments (none posted)

thunderbird: denial of service

Package(s):thunderbird CVE #(s):CVE-2009-2470
Created:March 18, 2010 Updated:April 23, 2010
Description:

From the Red Hat advisory:

A flaw was found in the way Thunderbird processed SOCKS5 proxy replies. A malicious SOCKS5 server could send a specially-crafted reply that would cause Thunderbird to crash. (CVE-2009-2470)

Alerts:
Mandriva MDVSA-2010:071 2010-04-23
CentOS CESA-2010:0153 2010-03-26
CentOS CESA-2010:0154 2010-03-17
Red Hat RHSA-2010:0153-02 2010-03-17
Red Hat RHSA-2010:0154-02 2010-03-17
Gentoo 201301-01 2013-01-07

Comments (none posted)

thunderbird: arbitrary code execution

Package(s):thunderbird CVE #(s):CVE-2010-0163
Created:March 18, 2010 Updated:August 17, 2010
Description:

From the Ubuntu advisory:

Ludovic Hirlimann discovered a flaw in the way Thunderbird indexed certain messages with attachments. A remote attacker could send specially crafted content and cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2010-0163)

Alerts:
CentOS CESA-2010:0499 2010-08-16
Mandriva MDVSA-2010:071 2010-04-23
Fedora FEDORA-2010-7100 2010-04-21
CentOS CESA-2010:0499 2010-07-21
Red Hat RHSA-2010:0499-01 2010-06-22
SuSE SUSE-SR:2010:013 2010-06-14
Debian DSA-2025-1 2010-03-31
Ubuntu USN-915-1 2010-03-18
Gentoo 201301-01 2013-01-07

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds