[Freeipa-devel] Summary of Session discussion

Adam Young ayoung at redhat.com
Thu May 26 16:53:18 UTC 2011 

   There are four cases where we've discussed using sessions for 
optimizations.  During today's phone discussion we analysed them.

1.  Avoiding the negotiate round trip.

Requesting a page protected by Kerberos requires two round trips to the 
server:  1 for the initializ request, which gets denied with the 
negotiate challenge, and one for the negotiate response.  mod_auth_kerb 
can fall back to userid/password.  THe suggestion was t hat we allow 
mod_auth_kerb to set a session cookie after a successful negotiate 
request.  Future requests can use that cookie to bypass the negotiate 
handshake.  The problem with this approach is NFS home directories, and 
root users being able to get  access to the session cookies, allowing a 
replay attack.  Note that this is a problem with the userid/password 
fall-back as well.  We are not going to pursue this right now.

2.  Caching the service ticket.  Once the http request has gone through, 
the ipa web server needs to request a service ticket for LDAP.  If the 
session contained the service ticket, the could be bypassed for 
additional requests.  Since the request has to be validated by Kerberos 
for the initial negotiate call, there is no additional loss of security 
in caching the ticket.
     A potential alternative to server side caching is for the client to 
request the service ticket and send it in the negotiate handshake.  
There is some question as to whether the web server would be able to 
acces this ticket, and also whether the client can somehow request a 
ticket that the server can use, and still comply with the Kerberos 
standards.

3.  File Upload.  Session time out provides a means to automate the 
clean up of files that might otherwise be orphaned.

4.  Windowing search results.  the 'find' APIs as implemented by LDAP 
limit the responses to 200 records by default.  One request we've had is 
to provide sorting and windowing.  Windowing here is defined as, for a 
sorted response, return a delimited number of records starting at an 
offset greater than 0. The LDAP implementation requires the equivalent 
of a cursor from the requester, in this case the Apache server.  To 
maintain association between the user and the cursor, the cursor 
identifier would be stored in the session.   Implementing this correctly 
will require further design.  It will likely be done in the future.

In summary, the caching of the service ticket alone provides a 
compelling reason to implement sessions.  File upload will take 
advantage of them.  Other uses may be found over time.

More information about the Freeipa-devel mailing list