[SSO] Bind session cookie to client IP address

RESOLVED FIXED

Status

Webtools Graveyard
SSO (Legacy)
P1
normal
RESOLVED FIXED
8 years ago
2 years ago

People

(Reporter: wenzel, Assigned: wenzel)

Tracking

Details

(Whiteboard: [infrasec:auth])

(Assignee)

Description

8 years ago
Much like we do on bugzilla and other places, the SSO session cookie should be valid for its original IP address only.
(Assignee)

Updated

8 years ago
Component: Webdev → SSO
Product: mozilla.org → Webtools
QA Contact: webdev → sso
Whiteboard: [infrasec:auth]
(Assignee)

Updated

8 years ago
Priority: -- → P1
(Assignee)

Updated

8 years ago
Assignee: fwenzel → nobody
(Assignee)

Comment 1

8 years ago
This is fixed:
http://github.com/mozilla/secret-squirrel/commit/85b5f61

Notes:
- I used django-paranoid-sessions[1], which can do even more to ensure session safety than what we are using it for now. I only switched on remote IP checking, however. Michael, you might want to check out what else that package offers, for inspiration :).
- I wrote a test that ensures an established session is logged out when the client IP changes.
- I am using commonware's remote IP middleware to check the client IP vs. our load balancer's IP (which would be useless).
- Ozten: You have to ``pip install -r requirements/dev.txt``.


[1] http://github.com/rfk/django-paranoid-sessions/
Assignee: nobody → fwenzel
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.