Description

Describe the bug...

I use HTTP based authentication with GSSAPI negotation. After changing credentials resp. destroying them, 'moinmoin' still assumes the username which was used for initial login. It seems that the cookie (which is required for page trails) overrides the HTTP auth information.

This is some kind of security bug: we setup our wiki to allow anonymous access (with restricted view) by plain HTTP and require authentication when accessing it by HTTPS.

When identified over an encrypted HTTPS connection, a corresponding cookie will be set. Switching back to HTTP sends this cookie over an unencrypted line and attacker could sniff this cookie and gain additional rights.

It would be really nice when I could avoid moin_session completely for HTTP based authentication; atm, it is required for page trails. In moinmoin 1.5.x it worked fine.

Steps to reproduce

setup an moinmoin installation with
```
auth = [http, moin_session]
```
on an GSSAPI/SPNEGO enabled webserver (e.g. apache + mod_auth_kerb)
get a credential
```
kinit ensc
```
open the moinmoin wiki -> you are logged in as ensc
switch credential
```
kinit ensc/admin
```
reload page/restart browser -> you are still logged in as ensc
destroy credential
```
kdestroy
```
go to the same moinmoin installation on a way which does not require HTTP authentication (e.g. HTTP instead of HTTPS) -> you are still logged in as ensc

Component selection

moin_session

Details

MoinMoin Version	1.6.3
OS and Version	CentOS 5.1
Python Version	2.4
Server Setup	apache, mod_auth_kerb, "`Require valid user`" for HTTPS access, no http auth for plain HTTP

Workaround

Discussion

Can you please test 1.7? I don't have an easy way to reproduce this right now, and I think 1.7 should have this fixed already. -- JohannesBerg 2008-05-24 18:30:06

confirmed for 1.6.4 by a web server configuration based on http_auth digest

<Directory "/srv/share/moin/mywiki">
    AuthType Digest
    AuthName "MyWiki"
    AuthDigestProvider file
    AuthUserFile /var/auth/users
    Require valid-user
    AllowOverride None
    Order allow,deny
    Allow from localhost
</Directory>

and wikiconfig.py (1.6.4)

from MoinMoin.auth.http import http
from MoinMoin.auth import moin_session
.
.
.
    auth = [http, moin_session]
    user_autocreate = 1

I was able to verify the problem by the following steps:

browser login as user1
stop the webserver
kill the browser
start the webserver
browser login as user2
- you are user1
logout - clear messages becomes user2

For a configuration of 1.7.2 it can't be reproduced

from MoinMoin.auth.http import HTTPAuth
.
.
.
    auth = [HTTPAuth()]
    user_autocreate = 1

Plan

Priority:
Assigned to:
Status: seems to be fixed in 1.7. We have done in 1.7 a big api refactoring change dealing with auth for several reasons, e.g. using more than only one auth method (two ldap servers).

CategoryMoinMoinBugFixed

MoinMoin: MoinMoinBugs/AuthSessionShouldCheckUserName (last edited 2010-02-21 17:56:54 by ThomasWaldmann)