Issue #6544: The ipa_session cookie cache should be bound to the kerberos ticket - freeipa

freeipa

#6544 The ipa_session cookie cache should be bound to the kerberos ticket

Opened 7 years ago by simo. Modified 7 years ago

This was inspired by the issues idenified in #6543.

The idea is that we should encrypt the session cookie stored in the keyring with the ticket used to obtain it.
This way if the ccache is kdestroyed the cookie is rendered invalid as the owner of the cacche almost certainly intend.

Alternatively store the cookie in the ccache instead of a keyring so that it is destroyed by kdestroy -A

Metadata Update from @simo:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

Future Releases

None

affects_doc

None

source

None

knownissue

None

type

enhancement

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#6544 The ipa_session cookie cache should be bound to the kerberos ticket Opened 7 years ago by simo. Modified 7 years ago

Close issue as:

Metadata

#6544 The ipa_session cookie cache should be bound to the kerberos ticket

Opened 7 years ago by simo. Modified 7 years ago