CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion (Moderator: Donald Lobo) »
  • Protecting Session Data
Pages: [1]

Author Topic: Protecting Session Data  (Read 907 times)

Elliot Ward

  • I’m new here
  • *
  • Posts: 4
  • Karma: 0
  • CiviCRM version: 4.3.?
Protecting Session Data
July 24, 2013, 02:49:58 am
With the current project I working on we are running into problems with our internal security team, who are vetoing sending sessions ID's that link to information about a donation we are trying to receive without HTTPS encryption. So my question/idea is this;

would it be possible for civi crm to self-encrypt and decrypt information that it puts into the session? Thus making the ID useless without the corresponding key value to decrypt. Or alternatively if there is a performance hit with encrypting that much data, an optional extra session (who’s ID is sent without encryption) that holds an encrypted ID to the session with the persons information (a roundabout method I know).

I mentioned this to Xavier Dutoit, and he suggested opening this up as a discussion on the forum. So your input is greatly appreciated.

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: Protecting Session Data
July 24, 2013, 03:10:28 am
Quote from: Elliot Ward on July 24, 2013, 02:49:58 am
With the current project I working on we are running into problems with our internal security team, who are vetoing sending sessions ID's that link to information about a donation we are trying to receive without HTTPS encryption. So my question/idea is this;


Could you clarify what is the risk to be avoided?
To be able to steal the session id, you need to be able to read the http traffic, so you can as well read the first name and address and whatever else is transmitted in the contribution page

with the session id for an anonymous session, I don't think you will be able to access to any information beside the information transmitted in the contribution form, that you would have been able to steal anyway if you are able to get access to the session id.

So I'm not sure I understand what we are trying to protect here (obviously, using https would be better anyway)

Quote
would it be possible for civi crm to self-encrypt and decrypt information that it puts into the session?

Thus making the ID useless without the corresponding key value to decrypt. Or alternatively if there is a performance hit with encrypting that much data, an optional extra session (who’s ID is sent without encryption) that holds an encrypted ID to the session with the persons information (a roundabout method I know).


Again, what are we trying to protect here?

Presumably, the idea is that civi has the key, so if you have been able to steal my session id, you can still convince civi you are me and let it decrypt whatever is in the session.

Moreover, very little "useful" stuff is stored in the session anyway, the only real benefit is that it would allow to pretend to be me, and encrypting the few stuff stored in the session isn't going to be impacted

I understand the general security policy, but not sure it's relevant in this case. Am I missing something?
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Elliot Ward

  • I’m new here
  • *
  • Posts: 4
  • Karma: 0
  • CiviCRM version: 4.3.?
Re: Protecting Session Data
July 24, 2013, 04:30:58 am
I hadn't thought of the data being sent, yeah that makes this all pointless. Also having spoken to the rest of the team I'm in I have realised that the problem is not something that can be fixed on the civi crm side. It is our own Security team that is blocking the process.

Thank you for your help anyway, sorry

Hershel

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4640
  • Karma: 176
    • CiviHosting
  • CiviCRM version: Latest
  • CMS version: Mostly WordPress and Drupal
Re: Protecting Session Data
July 24, 2013, 04:41:41 am
Would also be a lot easier just to install an SSL cert--they're not expensive. :)
CiviHosting and CiviOnline -- The CiviCRM hosting experts, since 2007

See here for the official: What to do if you think you've found a bug.

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: Protecting Session Data
July 24, 2013, 01:25:10 pm
btw, the "super sensitive" data like the credit card is not touching civi and your server but processed directly by the payment provider site (over ssl).

and yes, ssl everywhere is the standard (and better) way to handle securing traffic.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion (Moderator: Donald Lobo) »
  • Protecting Session Data

This forum was archived on 2017-11-26.