Perl CGI::Session permission issues

0
votes

I have a website which runs in Perl cgi files. When a user logs in it creates a new session using Perl CGI::Session.

The problem comes from accessing two duplicated websites located under different user directories. For example, www.abc.edu/~AAA/project/ and www.abc.edu/~BBB/project/

These are exactly the same website on the same machine, so they share the same /tmp directory.

When I login to AAA's website (~AAA/project/*), it creates a session cookie on my computer, in which the domain name is abc.edu. Then it creates session information in /tmp directory which is owned by ‘AAA’, because the owner of the script is supposed to be 'AAA'.

Then if I access BBB's website (~BBB/project/*), it tries to use the session info stored on my computer because the domain name is the same. However, the session info stored in /tmp is owned by ‘AAA’, it cannot read or write the session information.

[edit] This is like A/B testing websites, and I agree that they should not share the sessions information.

I am thinking that the session information stored in /tmp should be readable and writable by anyone in this case to resolve the issues.

[edit] I realized the security issues that @simbabque pointed out, and also I found that -path parameter of session cookies can be used to differentiate those two groups of users. So now my question is what if I indeed want to use common authentication system between those two website, how can I share the session information without causing security issues? What is the typical way to handle in this A/B testing and shared authentication system? Thanks for your helps.

1
perlsessioncgi
Are both project installations the same software in the same version, installed to two system user's spaces? Do you want them to share one session system? Do you want the visitors of AAA/project, when they log in, to be logged in to BBB/project as well? I see a few security concerns with that. What if in BBB someone makes malicious changes to the code, to steal the visitor's information? They trusted AAA, but who says they are trusting BBB too? - simbabque
@simbabque right I realized the security issues that you pointed out. I also noticed that session cookies can contain not only the host but also the information of paths. Sharing the session information seems very bad approach in security wise. - Jiho Noh
But that doesn't answer my clarification requests. If the question has changed for you now, please edit in the changes. - simbabque
@simbabque I've edited my question. My problem is kind of resolved now, but I am still curious about this situation; two websites under different user spaces and sharing sessions. Thanks for your help. - Jiho Noh
I don't understand the a/b-testing angle. Why would you run two completely different applications or copies of the same application as two different users if you want to a/b-test something. Even if you would change control flow for one of the two buckets, then you'd also need something up front to decide based on a testing-bucket cookie where the user's requests go, because you can't just send them to a different URL all together. If you can set that up, making them share session files should be the easiest part. - simbabque

1 Answers

0
votes

I was planning to write a long answer with an example application, but after rereading your comments and the question I think the answer is rather simple:

If you intend to use one login mechanism and the site's users are aware of this, then there is no security concern. It's being done all the time. A lot of systems today are made up of more then just one program to form one application, and they need to do that.

If the ownership of the files in the temp directory is a problem because the applications run as different system users, then simply don't use files as the session storage. Use a database or a key/value-store for example.

Or you could put both users into the same group and make the files group-read-writable. There are a lot of solutions here.