User's sites could steal cookies from other user's sites and from main Ubuland site

Confirming this bug. Example scenario:

User 'attacker' (/~attacker) sets up a website that secretly steals the login keys of other Ubuland users (say he stole the cookie of /~saj0577). From this he could forge a new cookie, with the stolen login key, which would trick the current system into thinking he was Saj0577 and therefor would have access to Saj's account.

If there is a way for new cookies to be forged (i am not very knowledgable about this) this is definately a big problem. Otherwise it still isnt ideal for users to know other users' current Ubuland login keys, just in case there are other ways this can be exploited.

Cookies can definitely be forged. Perhaps the easiest way would be for the user 'attacker' to set up a page under their webspace that sets the login cookie to a certain value and then to visit that page themselves to forge/get the cookie. There are other ways (such as Firefox extensions).

OK, definately a problem then! Are there any ways to fix this, other than changing to username.ubuland.org?

I'm not sure. It seems that you can set cookies only to work for certain folders and then that folders subfolders. However this doesn't really work unless we put the main site in its own folder. So ubuland.org/main/ or something else.

There might even be a better way of authenticating users that would prevent us from this bit though.

However there could still be conflicts. for example if users ~person could access ~anotherperson's cookies. E.g. if two users installed phpBB and both tried to use the same set of cookies. The problems seem endless.

Perhaps we could ask for advice on the <a href="http://ubuntuforums.org/forumdisplay.php?f=39">Ubuntu Forums programming section</a>?

Re-targetting to alpha-three. I think we need a discussion on IRC for the best way to fix this bug.

How to fix this (potentially):

22:52 <@bobbo> we use apache virtual hosts
22:52 <@bobbo> everyone has a subdomain
22:52 <@bobbo> its easy to do in apache and also pretty easy to automate
22:53 <@bobbo> so that when trafic comes from bobbo.ubuland.org, apache goes,
               oh i know where that is and goes and gets it from /home/bobbo/
22:53 <@bobbo> and all cookies are filed under bobbo.ubuland.org
22:53 <@bobbo> sorted

I have no idea how to set it up (I have no experience of DNS of apache virtual hosts) but it sounds good! :)

From what I can see its fairly simple to do (at least simple enough to script). I think we are going to need the Ubuland domain name to set it up properly though.

It looks a bit like this:

<VirtualHost bobbo.ubuland.org>
   ... Apache rules for this host
   DocumentRoot /home/bobbo/public_html
</VirtualHost>

So when apache receives traffic from the address bobbo.ubuland.org it goes to /home/bobbo/public_html to get my website. If im not talking rubbish, this should actually work. I think we might need to setup a DNS server for this, so DNS servers dont jsut go 'bobbo.ubuland.org doesnt exist, not sending you anywhere', but Saj knows a lot more about DNS than me, so we better ask him.

I've found a potentially much easier way to do it that might work better. We will definately need to get ubuland.org, but it should work with much less config hassle:

http://muffinresearch.co.uk/archives/2006/08/20/redirecting-subdomains-to-directories-in-apache/