Our Web Apps and SSL

[Toshio Kuratomi]

I've had this in the back of my mind for a while but only looked at it 
yesterday.  I think we have a potential problem with the way kojiweb is 
using SSL.  To a lesser extent it affects our TurboGears apps as well.

= Koji =

Kojiweb uses SSL to authenticate the client.  This is fine.  Kojiweb 
then stores a session cookie on the client's machine so the client 
doesn't have to go through the auth mechanism on every transaction. 
This is also fine.  However, kojiweb does not require that this cookie 
be sent back to the server via SSL and when you initially hit koji via a 
non-SSL connection only the authentication itself uses SSL.  koji sends 
the session cookie over an unencrypted connection.  This leaves koji 
open to packet sniffing and man-in-the-middle attacks.

To prevent this we should be doing two things:
1) Set the session cookie's secure flag to True
2) Once logged in, return the user to an https URL rather than http.

= TurboGears =

Our TurboGears apps are all running behind 
https://admin.fedoraproject.org so they have to use an SSL link in order 
to pull up content.  However, the plain http link is active; it just 
redirects to the SSL page.  This means that if you log in and then 
explicitly request a plain http URL the session cookie will be returned 
to the server over an unencrypted connection.  This is not too bad as 
the TG servers should be setup to return https links (so someone would 
have to actually change the URL to http after logging in) but it is a hole.

I sent an email last month to say that we'd be upgrading to TG-1.0.3 to 
close this hole but dropped the ball on actually doing the upgrade. 
I'll be doing that today; please let me know if you experience any 
strange problems with your web application and we'll try to work out if 
it's TG-1.0.3 related.

-Toshio