[jira] [Commented] (SLING-10290) Every request renews sling.formauth token

Tue, 20 Apr 2021 07:16:11 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17325824#comment-17325824
 ] 

Cris Rockwell commented on SLING-10290:
---------------------------------------

Suggest upgrade this ticket to Critical.

The TokenStore in Forms uses SHA-1

{{final Mac m = Mac.getInstance(HMAC_SHA1);}}

https://github.com/apache/sling-org-apache-sling-auth-form/blob/e7cfa7827c9ce39d5f686556bb2555c83c335c3f/src/main/java/org/apache/sling/auth/form/impl/TokenStore.java#L143

Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, HMAC-MD5, 
DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160 and SHA-1 
are no longer considered secure, because it is possible to have collisions 
(little computational effort is enough to find two or more different inputs 
that produce the same hash).

The provisioning of weak security tokens for every request could be considered 
a security vulnerability. Also in a production environment with many active 
users, the risk of accidental collision is not impossible.

> Every request renews sling.formauth token
> -----------------------------------------
>
>                 Key: SLING-10290
>                 URL: https://issues.apache.org/jira/browse/SLING-10290
>             Project: Sling
>          Issue Type: Bug
>          Components: Authentication
>    Affects Versions: Form Based Authentication 1.0.20
>            Reporter: Cris Rockwell
>            Priority: Major
>         Attachments: image-2021-04-09-14-19-17-509.png
>
>
> When using Apache Sling Form Based Authentication Handler
> Every request and subrequest sets a new value for `sling.formauth`
> Analyzing the code indicates that it not the intended behavior,
> and the cookie value of `sling.formauth` should be consistent for 30 minutes 
> according to the default value of form.auth.timeout
> Debugging shows that the method 
> [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519]
>  always returns null.... AuthenticationInfo properties are 
> user.jcr.credentials, sling.authType and user.name.  But this is not a 
> property called sling.formauth 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to