From: lekensteyn at gmail.com (Peter Wu)
Subject: authentication support: work has begun!
Date: Wed, 15 Jan 2014 19:17:51 +0100 [thread overview]
Message-ID: <4500221.0uF48Q1BnU@al> (raw)
In-Reply-To: <CAHmME9qUPhGUJu3DYp=cqfEqd-A7RyTVxHrz2tyqG64MsZi_7A@mail.gmail.com>
On Wednesday 15 January 2014 14:42:12 Jason A. Donenfeld wrote:
> > An important consideration is caching. Adding the Set-Cookie header
> > disables
> > caching for nginx at least, but other authenticated requests can still be
> > cached.
>
> Not completely though. I've taken careful precaution to ensure that caching
> from the cgit end stays in tact. If the cookie is authenticated, then cgit
> is able to serve up the cached pages from its own cache. If the cookie is
> unauthenticated, then, yes, it displays an uncached version of the "please
> authenticate" page.
>
> I did not check the ramification this has on nginx's handling of HTTP
> caching of resources, however. Can you elaborate on this, if it's a
> problem, and how to mitigate it?
Consider the use of fastcgi_cache as shown in this config:
http://lists.zx2c4.com/pipermail/cgit/2013-April/001307.html
The current login page is cachable, you should add "Cache-Control: private" to
prevent that. Otherwise, with the nginx fastcgi cache enabled, you will still
see the login page. Perhaps a redirect to /login?url=%2Fglouglou%2Flog is more
obvious? (302)
A related issue exists when
(1) an authenticated user requests the resource. nginx caches it.
(2) an unauthenticated user requests the resource. nginx cache returns the
supposedly password-protected resource.
Again, use of the Cache-Control header would help here, but then no protected
resource will be cached by nginx (bug/feature).
> The HMAC mention doesn't have to do with cleartext vs non-cleartext. It's
> for this reason -- I'm not going to be relying in an "auth=1" cookie for
> authentication passing. This is trivially spoofable. Instead, there's going
> to be something like "${username}|${expiration-unix-time}|${salt}|${hmac}",
> so that such state is stored in the cookie itself, but then validated
> server side using a secret.
Yes, I understood that auth=1 is a temporary hack for demonstration purposes,
your use of a HMAC looks safe. :)
Aside from storing passwords in plaintext, I see no other obvious issues.
Thanks,
Peter
next prev parent reply other threads:[~2014-01-15 18:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-15 1:02 Jason
2014-01-15 9:28 ` lekensteyn
2014-01-15 13:42 ` Jason
2014-01-15 18:17 ` lekensteyn [this message]
2014-01-15 18:29 ` Jason
2014-01-16 0:40 ` Jason
2014-01-16 11:14 ` Jason
2014-01-15 17:46 ` Jason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4500221.0uF48Q1BnU@al \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).