AUTHENTICATED_USER is not reliable! [Was: [Zope] become user (su inside Zope) - pretend to be another user]

Jim Penny jpenny at universal-fasteners.com
Fri Oct 24 12:57:55 EDT 2003


On Fri, 24 Oct 2003 18:20:02 +0200
Dario Lopez-Kästen <dario at ita.chalmers.se> wrote:

> Jens Vagelpohl wrote:
> 
> >> Why is everybody so obsessed with AUTHENTICATED_USER? This variable
> >is > not suitable for anything deserving the name "security". It is
> >NOT > SAFE to assume that it will contain anything useful.
> > 
> >  
> Right, when can we consider REQUEST to be fairly safe? I.e. I know
> that it cab be manuoulated by any kind of script during the lifetime
> of a request, and aslo be populated from the URL. I consider
> manipulation from scripts acceptable behaviour, from the URL not.

Well, there are two answers.  First, this is what sessions are really
designed for.  I am not a big fan of sessions, because they lead to code
that is harder to debug, and because the stateless nature of HTTP
implies the necessity for implicit timeouts.  Sessions do, however,
solve this problem, and also can lead to substantial bandwidth
reduction.

Second, if you have a set of variables that are being handled in the
request, you can take care of security yourself.  Concatenate the string
representations of the variables, and a site or folder specific secret
string.  Calculate SHA of this concatenated string. Put the variables in
the REQUEST per normal, but add the SHA, as well.

When the REQUEST comes back, repeat the calculation, being sure to
concatenate the strings and secret in the same order and compare the
newly calculated SHA with the SHA in the REQUEST. If they differ, either
one of the REQUEST variables or the SHA itself has been tampered with. 
Reject.

Jim Penny



More information about the Zope mailing list