Status update…
CentralAuth global logins are still restricted to the sysop beta, but Werdna and Tim have been doing some good work on cleaning things up…
- Tim’s done a lot of code refactoring to clean up User object behavior
- Werdna’s added support for global sessions based on Tim’s suggested model. Tim and I have helped with some cleanup on it…
- I put together a threat assessment of the security impact of global session cookies and some mitigration strategies
- One of my suggestions was to use HttpOnly mode for session and token cookies, where browsers support them. This will largely block XSS attacks from jumping between subdomains or stealing cookies for reuse by an attacker. Werdna’s added support for HttpOnly cookies under PHP 5.2; currently we can’t deploy this until we finish upgrading some of our machines.
- I’ve enabled global sessions on secure.wikimedia.org, where there’s a single domain and few other services to increase the attack surface. It _seems_ to mostly work so far. ;)
Logging out doesn’t quite clear all sessions correctly yet, but so far so good. :)