You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/11/18 13:54:39 UTC

[Bug 64930] New: Option for not storing user-password in the session when "SitePassphrase" is set

https://bz.apache.org/bugzilla/show_bug.cgi?id=64930

            Bug ID: 64930
           Summary: Option for not storing user-password in the session
                    when "SitePassphrase" is set
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: mod_auth_form
          Assignee: bugs@httpd.apache.org
          Reporter: sascha.bauer@allianz.at
                CC: sascha.bauer@allianz.at
  Target Milestone: ---

Created attachment 37574
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37574&action=edit
patch to implement "AuthFormDisablePwStore" directives and its function

Currently "mod_auth_form" has the possibility to set an "SitePassphrase". When
"SitePassphrase" is set then mod_auth_form uses the SitePassphrase + user
stored in the session for authentication instead user+password for every access
- of course after a inital authentication with user+password.

So "mod_auth_form" does not have to store the user-password in the session
after inital authentication when using "SitePassphrase", but it does.

For security-reasons it is a good idea to NOT storning the user-password in the
session, when using "SitePassphrase". Especially when "mod_session_dbd" is used
(to store session data on the server side) using a database which resists on
the same machine as httpd, the server-admin can easily capture all passwords
(even when using "mod_session_crypto").

My patch introduce a new directives for "mod_auth_form" called
"AuthFormDisablePwStore". When "AuthFormDisablePwStore" is set to "On" (default
"Off"), "mod_auth_form" will be prevented from storing the user-password in the
session. If "AuthFormDisablePwStore" is set to "On" and "SitePassphrase" is NOT
set, "AuthFormDisablePwStore" will be ignored.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org