You are not logged in.
Pages: 1
if someone wants to make life difficult for mORMot user, there is possible to close session by already used session_signature
(1) http://localhost:8888/root/Person?session_signature=0008277fd9e786aded76b248
first captured URL
(2) http://localhost:8888/root/auth?UserName=Admin&Session=534399&session_signature=0008277fd9e786aded76b248
new prepared URL with the same signature
best regards,
Maciej Izak
Offline
If you know last session_signature is possible to close session by using the same session_signature used before in other context (for example for viewing some data). IMO this behavior should be blocked.
Maybe is good to store somehow last used session_signature generated by TSQLRestServerAuthenticationDefault for blocking purpose?
best regards,
Maciej Izak
Offline
How do you know the last session_signature of an other user?
Offline
@hnb
Which authentication are you using?
Are you using the latest framework version, including ticket http://synopse.info/fossil/tktview?name=7723fa7ebd ?
AFAIK
http://localhost:8888/root/auth?UserName=Admin&Session=534399&session_signature=0008277fd9e786aded76b248
should be rejected in TSQLRestServerAuthentication*.RetrieveSession() so Ctxt.Session=0, and therefore TSQLRestServerAuthentication.AuthSessionRelease should not release the session.
Offline
@danielkuettner by using websniffer?
@ab
1. tested with fresh rev. 2fbeef2825
2. used authentication is TSQLRestServerAuthenticationDefault
3. tested with modified RESTserver demo - Sample 28 with authentication:
...
aRestServer := TSQLRestServerDB.Create(aModel,':memory:',true); // authentication=true
...
4. for testing modified Sample 28 I have created small tool:
{$APPTYPE CONSOLE}
{$R *.res}
uses
System.SysUtils,
SynCrossPlatformJSON,
SynCrossPlatformSpecific,
SynCrossPlatformCrypto,
SynCrossPlatformREST;
var
Login, Passwd, nonce: string;
aServerNonce, aClientNonce: string;
PasswordHashHexa, aPassHash, IdAndKey, fSessionIDHexa8, aSessionID: string;
fSessionPrivateKey: Cardinal;
i: integer;
c: char;
begin
Login := 'Admin';
Passwd := 'synopse';
WriteLn('Server nonce:');
ReadLn(aServerNonce);
aClientNonce := SHA256Compute([Copy(NowToIso8601,1,16)]);
PasswordHashHexa := SHA256Compute(['salt',Passwd]);
aPassHash := Sha256Compute(['root',aServerNonce,aClientNonce,
Login,PasswordHashHexa]);
WriteLn('Client nonce = ', aClientNonce);
WriteLn('Pass = ', aPassHash);
WriteLn('SessionID+PrivateKey:');
ReadLn(IdAndKey);
i := 1;
GetNextCSV(IdAndKey,i,aSessionID,'+');
fSessionIDHexa8 := LowerCase(IntToHex(StrToInt(aSessionID),8));
repeat
fSessionPrivateKey := crc32ascii(crc32ascii(0,IdAndKey),PasswordHashHexa);
nonce := LowerCase(IntToHex(trunc(Now*(24*60*60)),8));
WriteLn(fSessionIDHexa8+nonce+LowerCase(IntToHex(
crc32ascii(crc32ascii(fSessionPrivateKey,nonce),'root/Person'),8)));
readln(c);
until c = 'q';
end.
as first parameter for attached tool pass "Server nonce" - result of http://localhost:8888/root/Person/auth?UserName=Admin
you will receive "Pass" and "Client nonce" from tool
as second parameter for attached tool pass result of http://localhost:8888/root/Person/auth?UserName=Admin&PassWord={Pass}&ClientNonce={Client nonce}
you will receive session_signature for testing purpose. by pressing enter in tool you will get next session_signature.
Last edited by hnb (2015-11-05 19:48:16)
best regards,
Maciej Izak
Offline
@hnb
Why don't you use SSL and basic auth when you want a secure solution? If you sniff this you won't find a session_signature.
Perhaps you have find a "bug" under using http+session, but even if you "close" it, you won't have a secure solution.
If you can sniff a session_signature you can also sniff the whole communication. Sure, you can encrypt it, but you have the unencrypted initialization part (you can read the URI) and than you will come to SSL.
Offline
@danielkuettner
This is only bug report. I want perfect mORMot framework as possible. I want to see mORMot as alternative for Java EE .
best regards,
Maciej Izak
Offline
@ab Yes, you are right. It was created for fun to see how is created session_signature "step-by-step", without using debugger to track code inside mORMot framework, just minimal code usage to create new session for modified "Sample 28". Unexpectedly useful to finding bugs in authorization scheme (like mentioned problem in this topic or like http://synopse.info/forum/viewtopic.php?id=2977 ).
best regards,
Maciej Izak
Offline
Pages: 1