forked from eucalyptus/architecture
-
Notifications
You must be signed in to change notification settings - Fork 0
user ui 3.2 sec
chris grzegorczyk edited this page Oct 16, 2012
·
5 revisions
- all inputs (user, database, filesystem, network) should be convertied into a canonical form before any processing is done
- //canonicalization// is the process of converting something from one representation to the simplest form
- all components of the web UI shall assert the correct locale and character set to be used
- use HTML entities, URL encoding, and so on to prevent Unicode characters being treated improperly by the many divergent browser, server, and application combinations
- Escape all outputs before returning them to a user
- //escaping// is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser
- KB article with references to Cheat Sheets
- OWASP ESAPI library for escaping
- Sessions must have a limited lifetime and expire after a period of time based on business and usability requirements balanced with security considerations.
- General security guidelines: sessions SHOULD timeout after 5 minutes for high-value applications, 10 minutes for medium value applications, and 20 minutes for low risk applications.
- A new session id needs to be generated when user logs in
- The UI proxy should invalidate and remove the session identification token after a user //logout//.
- The UI proxy should invalidate and remove the session identification token after a period of inactivity.
- For session management the best practice is to use a robust, well-known session manager built in to a web application framework.
- Use HTTP cookies for passing session ids.
- If Cookies are used to store and transmit session identifiers over HTTPS they should be marked as 'Secure' so that they are not served over non-SSL tunnels.
- a more complete list of best practices is here
- a unique temporary //validation token// needs to be generated in addition to the session id
- this token needs to be in some way associated with the user session and be inserted into any web page generated by the proxy
- one way to generate the validation token is HMAC of the session id or to keep a server-side state for that
- see KB article for more details and other approaches
- client-side code should submit this token using an additional custom HTTP header
- this token has to be validated on each request from the user together with the session id
- user request is accepted only iff a valid token for the current session is submitted
- the validation token has the lifetime of the corresponding user session
- the validation token should also be used for the login form(s) (i.e., before the user is authenticated)
NOTE: Tornado 2.3 comes with built-in CSRF protection that can be enabled. We should take advantage of it if it's available in the version that we are going to use.
- User parameterized (aka, prepared) queries.
- If a framework like Hibernate is used, avoid using native queries. If native queries are absolutely necessary, sanitize any untrusted data in the query before passing it to the database layer.
tag:rls-3.2
- Contact Info
- email: [email protected]
- IRC: #eucalyptus-devel (freenode)
- Twitter: @grrrze
- Other Links