A few days ago I started exploring the addition of OpenID to Oddmuse via a module (→ 2008-05-02 OpenID and Oddmuse). I realized that I would have to store some sort of secret in a session variable, because I cannot hit the authentication service for every hit I’m getting. Now, the obviously stupid idea is store some sort of flag “validated url X” in the Oddmuse cookie. Then everybody can fake it. The less stupid idea is to implement a server side session saying “validated url X” per user. That also incurs a lot of maintenance problems: Sessions are persistent, ie. stored in files. They need to be expired on the filesystem. CGI::Session is also yet another dependency. And anybody can listen in on the traffic, steal the session ID, and thus circumvent authentication.
The only way to circumvent that is by using an encrypted connection. But once you’re using SSL, you might as well be using a webserver plugin that solves your authentication problems: mod_auth_openid for Apache 2!
That’s the only real solution to the problem. *Everything else is just window-dressing*.
Based on that premise, it would be possible to build a little module for Oddmuse that implements ACLs based on OpenID using the environment variable `REMOTE_USER`.
#Oddmuse #Web #Security