Opened 4 years ago

Last modified 4 years ago

#1186 new

Add session management to Web Admin UI to prevent CSRF

Reported by: VValdo Owned by: somebody
Keywords: Cc:

Description (last modified by VValdo)

Per the thread at http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173&start=180 , I was asked to add the following:

DD-WRT needs a form of session management to help fight CSRF attacks by tracking session state. This could work as follows:

  1. Upon successful HTTP authentication, DD-WRT generates a session ID (such as an md5 hash of a salted string generated from the authentication datestamp or login password, for example). The session ID is returned to the browser as a cookie with a built-in expiration period. (which could be altered via the Security tab).
  1. ALSO-- following successful authorization, all web forms could include a HIDDEN form element containing the session ID (ie, POST method), or it could be included in the URL as &SESSIONID=WHATEVER (ie, GET method). The cookie could also be checked with each connection. In any event, the goal is to track the session across connections.
  1. Any "trusted" interaction with the Web Interface should verify a valid session ID was passed back to the server. The server should re-ask for authorization to any connection that does not provide the Session ID and refuse access without authorization or the session token.
  1. The server should invalidate the Session ID token after the expiration period (or a period of inactivity from the user).

Session tokens can be held by the server in memory, database, or a file. Security ramifications should be considered for any method used.

W

Change History (3)

comment:1 Changed 4 years ago by VValdo

  • Description modified (diff)

comment:2 Changed 4 years ago by BrainSlayer

currently we check the referer to prevent cross size attacks, i know that session handling is much more safe, but its also not easy to implement in this server since we need to alter almost all web pages and internal cgi codes

comment:3 Changed 4 years ago by VValdo

I haven't looked at code, but isn't there any part of the UI common to all pages or form processing that could have a session check inserted? Ie, "If session cookie is not passed back, send new authentication request." Then just change the authentication routine to also set the cookie.

Best I can come with :/

W

Note: See TracTickets for help on using tickets.