I've had this in the back of my mind for a while but only looked at it
yesterday. I think we have a potential problem with the way kojiweb is
using SSL. To a lesser extent it affects our TurboGears apps as well.
= Koji =
Kojiweb uses SSL to authenticate the client. This is fine. Kojiweb
then stores a session cookie on the client's machine so the client
doesn't have to go through the auth mechanism on every transaction.
This is also fine. However, kojiweb does not require that this cookie
be sent back to the server via SSL and when you initially hit koji via a
non-SSL connection only the authentication itself uses SSL. koji sends
the session cookie over an unencrypted connection. This leaves koji
open to packet sniffing and man-in-the-middle attacks.
To prevent this we should be doing two things:
1) Set the session cookie's secure flag to True
2) Once logged in, return the user to an https URL rather than http.
= TurboGears =
Our TurboGears apps are all running behind
so they have to use an SSL link in order
to pull up content. However, the plain http link is active; it just
redirects to the SSL page. This means that if you log in and then
explicitly request a plain http URL the session cookie will be returned
to the server over an unencrypted connection. This is not too bad as
the TG servers should be setup to return https links (so someone would
have to actually change the URL to http after logging in) but it is a hole.
I sent an email last month to say that we'd be upgrading to TG-1.0.3 to
close this hole but dropped the ball on actually doing the upgrade.
I'll be doing that today; please let me know if you experience any
strange problems with your web application and we'll try to work out if
it's TG-1.0.3 related.