668308 - Build a secure session password storage feature

Status: VERIFIED FIXED

(Participation Infrastructure :: Phonebook, defect)

Description

[Austin King [:ozten]]

Per Options 2,3, and 4 generated in http://etherpad.mozilla.com:9000/mozillians-auth we need to build a secure component which is a session that has the user's clear text password.

Using some form of 2 way encryption, we'll want to store the user's password in memcached (or other). Part of the secret will be client side and part of the secret will be server side.

While the user has a valid session, a python API will allow Django to use the user's clear text password when binding to LDAP.

This component can be built completely outside of LDAP. It should build on the services group's knowledge of storing user data.

Comment 1

[Toby Elliott [:telliott]]

For the limited amount of password storage we need to do, we ended up patching beaker to do encrypted sessions. 

http://hg.mozilla.org/services/account-portal/file/ee552c3ba4aa/accountportal/beakerpatch.py

Shouldn't be too hard to extend that to cover having the key in the session cookie. Note that moving the key there isn't going to save you from a box-rooted attack, since they'll just grab the password when they initially log in.

Comment 2

[Dave Dash [:davedash, :dd] (assign all bugs to mbrandt)]

Sounds like I can use:

https://docs.djangoproject.com/en/dev/topics/signing/

with secure cookie based sessions

Comment 3

[Dave Dash [:davedash, :dd] (assign all bugs to mbrandt)]

This was fixed a while back.

Comment 4

[Tobias (:Tobbi) Markus]

Is there any way QA can test this bug? Or shall I mark it as [qa-]?

Comment 5

[Tobias (:Tobbi) Markus]

Verifying qa-