Sessions

Session are created by the GridShib-CA using the CGI::Session module. A session consists of a set of name/value pairs identified by a session identifier. The session identifier is a long random string of printable ASCII characters meant to resist guessing for the lifetime of a session. An example session identifier is "fe2ab35e5a5305c2b25e207d8a5bf7c3".

Session Identifiers are Sensitive


Session Identifiers MUST be kept private by the GridShib-CA and the user to which they were issued. Obtaining a valid session identifier would allow a third party to impersonate the user to the GridShib-CA. Lifetimes of sessions are kept short to mitigate this risk.

Session Types

There are two session types: browser sessions and credential issuance sessions.

Browser sessions (identified with a Type element of Browser) are created when a users authentications via a web sign-on method (e.g. OpenID, Shibboleth). The session identifier is stored in a cookie in the user's browser and is used to authenticate the user's browser on subsequent accesses. The lifetime of these sessions is controlled by the DefaultLifetime parameter in the Session section of gridshib-ca.conf.

Credential issuance sessions (identified with a Type element of CredentialIssuer) are created when the user launches a credential retrieval client and are used by the client to authenticate it's credential issuance request to the GridShib-CA. The maximum lifetime of these sessions is determined by the CredentialRetrieverClientLifetime parameters in the Session section of gridshib-ca.conf. Note however that these sessions are single use, in that they are destroyed when successfully used.

The IssueCred.pm module is currently the only module that requires the Credential issuance session. This also provides CSRF protection for that module.

Time Values

All time values are strings representing integrers which represent seconds since 0 hours, 0  minutes, 0 seconds, January 1, 1970, Coordinated Universal Time, without including leap seconds.

Expiration

Sessions have a lifetime (encoded by the "Expires" parameter) after which they MUST be treated as expired and not honored. See previous section on "Time Values" for how this times is encoded.

Values

A Session MUST contain the following name/values:
  • Type
    • A string containing either "Browser" or "CredentialIssuer" indicating the type of session.
  • ClientHost
    • A string containing either the hostname or IP address of the client when the initially authenticated.
  • lifetime
    • A string containing a time value for lifetime of the session. See previous section on "Lifetime."
  • IdP
    • A string containing the identifier of the identity provider who asserted the user identifier.
  • UserId
    • A string containing the identifier for the user as asserted by the identity provider.
  • AuthnMethod
    • A string containing an identifier of the web auhentication method used by the user to establish the session. Current identifiers are "Shibboleth" and "OpenId".
The session MAY contain other meaningful values.

Safe Usage

Note that none of the values are sanitized for any particular usage (e.g. displaying in HTML, using in SQL statements). Applications using the values MUST take care to do any specific encoding needed for security.

File Encoding

The GridShib-CA uses the CGI::Session module to store Sessions. The following sections captures a reverse engineering of that storage for other applications that may want to use the GridShib-CA sessions.

File Location


Files are stored in the path given by the Directory element in the Session block of gridshib-ca.conf. By default this will be /var/run/gridshib-ca.

File Name

The file is stored in the local system temporary files directory, typically /tmp.

The file name will be the string "gsca-session-" followed by the session identifier.

Example file name: /tmp/gsca-session-fe2ab35e5a5305c2b25e207d8a5bf7c3

File Contents


The files contains a single line, which has the following form:

<var> = { <variable> = <value>, <variable> = <value>, ... <variable> = value};; <var>

  • <var> seems to always be the string "$D".
  • <variable> is a variable name delimited by single quotes.
  • <value> is one of three forms:
    • A string representing the value of the associated variable delimited by single quotes.
    • A string representing a time value. These are internal to CGI::Session.
    • A set of curly brackets containing a set of variable/values pairs. This only seems to be used for variable-specific expiration, which is not used by the GridShib-CA.
    • Each <value> is followed by a comma unless it is the last value before the closing curly brace.
  • There are two semi-colons after the closing curly brace for unknown reasons.
  • <var> is repeated after the semi-colons for some reason.

Example File Contents (originally on a single line, wrapped for readability):
$D = {'_SESSION_ID' => 'fe2ab35e5a5305c2b25e207d8a5bf7c3','ClientHost' => '127.0.0.1','UserId' => 'http://vwelch.myopenid.com/','lifetime' => '300','_SESSION_REMOTE_ADDR' => '127.0.0.1','_SESSION_CTIME' => 1259028710,'AuthnMethod' => 'OpenId','_SESSION_ATIME' => 1259028713,'IdP' => 'http://vwelch.myopenid.com/','_SESSION_EXPIRE_LIST' => {}};;$D

Comments