LP session tokens stay the same indefinitely
Bug #118599 reported by
Stuart Bishop
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
High
|
Unassigned | ||
Bug Description
People have happily been posting HTTP headers to help us debug Launchpad issues, including cookie headers without realizing that anyone with that information can connect to launchpad using their credentials.
We will never be able to stop this, and there are other ways that cookies can leak out, so we should make the session machinery more resistant to this.
One approach is to get Launchpad to cycle the session token regularly.
An additional protection would be to tie the session token to a particular IP address.
| Changed in launchpad: | |
| importance: | Undecided → High |
| status: | Unconfirmed → Confirmed |
| security vulnerability: | yes → no |
| visibility: | private → public |
Revision history for this message
| Robert Collins (lifeless) wrote | #1 |
| summary: |
- Session tokens should cycle + LP session tokens stay the same indefinitely |
To post a comment you must log in.
Tying to IP would likely frustrate users. Rotating the session key say daily would be good.