• Your recent searches
Apache-SecSess
4 results

 view release on metacpan or  search on metacpan

README  view on Meta::CPAN 

protocol designed to defend against attacks which exploit known cookie 
vulnerabilities.


2.  Summary of Features
-----------------------

   * Secure sharing of multi-level credentials within and across DNS domains.
   * Support for different representations of credentials with the ability to 
     chain and interoperate between them.
   * Built-in defense against on-line guessing attacks.
   * Built-in session timeout, both idle and hard-limit.
   * Built-in SU-type function for admins to switch user ID's.
   * Encapsulated database interface.


3.  Known Security Issues with HTTP Cookies
-------------------------------------------

Issue 1: The Caching Problem

SecSess/DBI.pm  view on Meta::CPAN 

	unless ($status eq 'enabled') { return $status; } # disabled or unknown
	unless ($token) { return 'empty'; } # empty token argument
	unless ($token eq $self->get_stored_token($uid, $authid)) {
		$self->note_auth_failure($uid, $authid);
		return 'again'; # 'again' means 'wrong' but may be visible in URL
	}
	$self->note_auth_success($uid, $authid);
	return 'OK';
}

## protect against online guessing attacks
sub note_auth_failure {
	my $self = shift;
	my($uid, $authid) = @_;
	my($asth, $maxfail, $uasth, $failcount, $usth);

	## determine if we must count failures at all
	$self->refresh_dbh;
	$asth = $self->{dbh}->prepare(<<'ENDSQL');
		SELECT maxfail
		FROM authens

demo/httpdconf/httpd.sec1.conf  view on Meta::CPAN 

#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15

#
# Server-pool size regulation.  Rather than making you guess how many
# server processes you need, Apache dynamically adapts to the load it
# sees --- that is, it tries to maintain enough server processes to
# handle the current load, plus a few spare servers to handle transient
# load spikes (e.g., multiple simultaneous requests from a single
# Netscape browser).
#
# It does this by periodically checking how many servers are waiting
# for a request.  If there are fewer than MinSpareServers, it creates
# a new spare.  If there are more than MaxSpareServers, some of the
# spares die off.  The default values are probably OK for most sites.

rfc/rfc2964.txt  view on Meta::CPAN 

         service, even though the user has previously approved a
         service's request to maintain state information.

   (5)   Clients SHOULD provide an effective interface which allows a
         user to terminate a previous request not to retain state
         management information for a given service.

3.2.  Limitations of the domain-match algorithm

   The domain-match algorithm in RFC-2965 section 2 is intended as a
   heuristic to allow a client to "guess" whether or not two domains are
   part of the same service.  There are few rules about how domain names
   can be used, and the structure of domain names and how they are
   delegated varies from one top-level domain to another (i.e. the
   client cannot tell which part of the domain was assigned to the



Moore & Freed            Best Current Practice                  [Page 6]

RFC 2964              Use of HTTP State Management          October 2000



( run in 0.433 second using v1.01-cache-2.11-cpan-702932259ff )