is using LDAP or SESSION more secure for authentication and access control?

Re: is using LDAP or SESSION more secure for authentication and access control?

Notgiven wrote:
[color=blue]
> I am considering a large project and they currently use LDAP on MS
> platform. It would be moved to a LAMP platform. OpenLDAP is an option
> though I have not used it before. I do feel fairly confortable with my
> ability to use SESSIONS for authentication and access control.
>
> Would it better to learn and use LDAP or can you REALLY have just as
> secure authentication and access control using Sessions?[/color]

Hi,

You better be the judge of that yourself.
Consider the following about sessions:

- A session with a client is based on some value that is passed to the
client. The client sends this value back each new request to the server.
- This is just a token, often in form of: PHPSESID=231jhg 2fg14hg3ff43
- This sessionid is passed via cookie or URL

So untill now: Somebody has to intercept the sessionid on its route from
client to server and the other way round.
If somebody manages to do this, under most circumstances this bad guy can
'hijack the session', simply by going to the same page with the right
cookie set (for PHPSESSID)

If you can secure this part (by means of https eg) then you are fine (so
far).

How to use a session for security (admin-only pages example)

- A sessionid is used on the server to retrieve the actual data stored in
the session, like (in php):

to set some value:
$_SESSION["isadmin"] = "Y";

or on top of a script that demands admin-only entrance:
if ((isset($_SESSI ON["isadmin"]) && ($_SESSION["isadmin"] == "Y")) {
// OK
} else {
echo "Go away!";
exit;
}

So you'll have to adjust this logic everywhere in your application.


Next possible problem:

The server itself.
Consider where the sessiondata (like 'admin' value) is stored.
Default PHP install will use a filebased sessionstorage system.
It created a file in a temp directory under a name that includes the
sessionid.
PHP will get this file if a new request arives at the server.

Alternatively, you can write your own sessionhandling , and store it in a
database.

In both cases:
Ask yourself: Can somebody else get the session there? (in tempdirectory or
from database).

Remember that the tempdirectory is writable and readable for all users
(under most *nix distros).
The fileowner of the sessionfile will be the user that runs PHP.
Under *nix this is often www-data/apache/nobody.

So if you are in a shared hosting environment, somebody else running a
website on that machine, will run as the same user, thus will be able to
get the sessionfile and read/write it.
(Again under most setups)

Hope this helps you a bit to decide what is best.

Oh, my knowledge of LDAP is limited to 'heard that name before, something
with file/directorybased storage, right?'.
So I cannot help you compare.

Good luck.

Regards,
Erwin Moller
[color=blue]
>
> Thanks for your thoughts and experience.[/color]

Re: is using LDAP or SESSION more secure for authentication and access control?

"Erwin Moller"
<since_humans_r ead_this_I_am_s pammed_too_much @spamyourself.c om> wrote in
message news:43e9f242$0 $11067$e4fe514c @news.xs4all.nl ...[color=blue]
> Notgiven wrote:
>[color=green]
>> I am considering a large project and they currently use LDAP on MS
>> platform. It would be moved to a LAMP platform. OpenLDAP is an option
>> though I have not used it before. I do feel fairly confortable with my
>> ability to use SESSIONS for authentication and access control.
>>
>> Would it better to learn and use LDAP or can you REALLY have just as
>> secure authentication and access control using Sessions?[/color]
>
> Hi,
>
> You better be the judge of that yourself.
> Consider the following about sessions:
>
> - A session with a client is based on some value that is passed to the
> client. The client sends this value back each new request to the server.
> - This is just a token, often in form of: PHPSESID=231jhg 2fg14hg3ff43
> - This sessionid is passed via cookie or URL
>
> So untill now: Somebody has to intercept the sessionid on its route from
> client to server and the other way round.
> If somebody manages to do this, under most circumstances this bad guy can
> 'hijack the session', simply by going to the same page with the right
> cookie set (for PHPSESSID)
>
> If you can secure this part (by means of https eg) then you are fine (so
> far).
>
> How to use a session for security (admin-only pages example)
>
> - A sessionid is used on the server to retrieve the actual data stored in
> the session, like (in php):
>
> to set some value:
> $_SESSION["isadmin"] = "Y";
>
> or on top of a script that demands admin-only entrance:
> if ((isset($_SESSI ON["isadmin"]) && ($_SESSION["isadmin"] == "Y")) {
> // OK
> } else {
> echo "Go away!";
> exit;
> }
>
> So you'll have to adjust this logic everywhere in your application.
>
>
> Next possible problem:
>
> The server itself.
> Consider where the sessiondata (like 'admin' value) is stored.
> Default PHP install will use a filebased sessionstorage system.
> It created a file in a temp directory under a name that includes the
> sessionid.
> PHP will get this file if a new request arives at the server.
>
> Alternatively, you can write your own sessionhandling , and store it in a
> database.
>
> In both cases:
> Ask yourself: Can somebody else get the session there? (in tempdirectory
> or
> from database).
>
> Remember that the tempdirectory is writable and readable for all users
> (under most *nix distros).
> The fileowner of the sessionfile will be the user that runs PHP.
> Under *nix this is often www-data/apache/nobody.
>
> So if you are in a shared hosting environment, somebody else running a
> website on that machine, will run as the same user, thus will be able to
> get the sessionfile and read/write it.
> (Again under most setups)
>
> Hope this helps you a bit to decide what is best.
>
> Oh, my knowledge of LDAP is limited to 'heard that name before, something
> with file/directorybased storage, right?'.
> So I cannot help you compare.
>
> Good luck.
>
> Regards,
> Erwin Moller[/color]

Thanks for your insight. I am using sessions for auth/acess control now for
several apps so. like you, I understand how that works. I haven't done this
yet, but you can set the session store location/directory in the php.ini
file.

If you do that and use SSL, I think most of session security is covered.
The logic of access control is critical and requires lots of planning and
"what-if" analysis.

thanks again!

Re: is using LDAP or SESSION more secure for authentication and access control?

"Notgiven" <notreallyme@in valid.invalid> wrote in message
news:L4mGf.691$ pM6.83@bignews4 .bellsouth.net. ..[color=blue]
>I am considering a large project and they currently use LDAP on MS
>platform. It would be moved to a LAMP platform. OpenLDAP is an option
>though I have not used it before. I do feel fairly confortable with my
>ability to use SESSIONS for authentication and access control.
>
> Would it better to learn and use LDAP or can you REALLY have just as
> secure authentication and access control using Sessions?
>
> Thanks for your thoughts and experience.[/color]

I'd use LDAP. It will integrate directly with their domain controller (or
whatever is holding the directory), and save you lots of headache. You can
even use samba to act as a pam module, which you can use on linux to
authenticate users on a windows domain.

dave

Re: is using LDAP or SESSION more secure for authentication and access control?

>I am considering a large project and they currently use LDAP on MS platform.[color=blue]
>It would be moved to a LAMP platform. OpenLDAP is an option though I have
>not used it before. I do feel fairly confortable with my ability to use
>SESSIONS for authentication and access control.
>
>Would it better to learn and use LDAP or can you REALLY have just as secure
>authenticati on and access control using Sessions?[/color]

This question seems a lot like "are you going to use roads or a
motor vehicle to go across town"? There's a good chance you will
want both.

LDAP as described here is functioning as a database of valid users
and passwords, and a method to check access. Alternatives might
include a MySQL database of users and passwords, a flat file, a
RADIUS server, or something hardcoded into code.

Issues like whether the passwords are encrypted when stored or
encrypted when transmitted are implementation details. If you want
it "secure", you have to describe the threat model. Is the problem
traffic sniffing? (encrypt passwords when transmitted) Or an
employee who walks off with a copy of the database (encrypt passwords
when stored). Sometimes it's not practical to do both.

You also need something that allows or disallows access to particular
pages. It also has the problem of grouping a set of accesses into
a "login session" as it is undesirable to make the user enter a
password on *every* page, and checking on every access can be
inefficient. PHP code with sessions is one way to do this. Apache
HTTP authentication is another (although it has disadvantages, like
not having a "logout" function). You can also use PHP code with
cookies. Or check IP addresses.

Gordon L. Burditt

Re: is using LDAP or SESSION more secure for authentication and access control?

"d" <d@example.co m> wrote in message
news:G6xGf.1731 6$wl.16165@text .news.blueyonde r.co.uk...[color=blue]
> "Notgiven" <notreallyme@in valid.invalid> wrote in message
> news:L4mGf.691$ pM6.83@bignews4 .bellsouth.net. ..[color=green]
>>I am considering a large project and they currently use LDAP on MS
>>platform. It would be moved to a LAMP platform. OpenLDAP is an option
>>though I have not used it before. I do feel fairly confortable with my
>>ability to use SESSIONS for authentication and access control.
>>
>> Would it better to learn and use LDAP or can you REALLY have just as
>> secure authentication and access control using Sessions?
>>
>> Thanks for your thoughts and experience.[/color]
>
> I'd use LDAP. It will integrate directly with their domain controller (or
> whatever is holding the directory), and save you lots of headache. You
> can even use samba to act as a pam module, which you can use on linux to
> authenticate users on a windows domain.
>
> dave[/color]

Thanks. This will be a standalone server not included in any domain.

Re: is using LDAP or SESSION more secure for authentication and access control?

> LDAP as described here is functioning as a database of valid users[color=blue]
> and passwords, and a method to check access. Alternatives might
> include a MySQL database of users and passwords, a flat file, a
> RADIUS server, or something hardcoded into code.
>
> Issues like whether the passwords are encrypted when stored or
> encrypted when transmitted are implementation details. If you want
> it "secure", you have to describe the threat model. Is the problem
> traffic sniffing? (encrypt passwords when transmitted) Or an
> employee who walks off with a copy of the database (encrypt passwords
> when stored). Sometimes it's not practical to do both.
>
> You also need something that allows or disallows access to particular
> pages. It also has the problem of grouping a set of accesses into
> a "login session" as it is undesirable to make the user enter a
> password on *every* page, and checking on every access can be
> inefficient. PHP code with sessions is one way to do this. Apache
> HTTP authentication is another (although it has disadvantages, like
> not having a "logout" function). You can also use PHP code with
> cookies. Or check IP addresses.[/color]

So as I understand it, LDAP is an alternative to userid and passwords in a
database for authenticating.

Regarding sessions, right - I use them in my apps for controlling access to
certain pages.

Not being familiar with LDAP, I thought is was a magic bullet for
authenticating AND intra-application access control. I see not that it is
not. Rather, as I understand it, it is one of several authentication
methods.

Thanks again