New Feature: Clockskew #84
Conversation
|
+10000000000000000000 with the following comments:
|
|
| @@ -119,7 +123,7 @@ protected function validateDigest($digest, $nonce, $created, $secret, $salt) | |||
| } | |||
|
|
|||
| //expire timestamp after specified lifetime | |||
| if(strtotime($this->getCurrentTime()) - strtotime($created) > $this->lifetime) | |||
| if(strtotime($this->getCurrentTime()) - strtotime($created) > ($this->lifetime - $this->clockSkew)) | |||
By adding the clock skew option Source: djoos/EscapeWSSEAuthenticationBundle#84
…kew from lifetime fixes nothing for out of sync clients and only shortness the lifetime for correctly synced clocks.
|
Any news? I would really love to see this merged. |
|
Same here, is there anything i need to do to get this one merged? Once upon a 19 Aug 2016, Márk Sági-Kazár hit keys in the following order:
Hostage |
| @@ -99,7 +100,8 @@ public function addConfiguration(NodeDefinition $node) | |||
| ->scalarNode('date_format')->defaultValue( | |||
| '/^([\+-]?\d{4}(?!\d{2}\b))((-?)((0[1-9]|1[0-2])(\3([12]\d|0[1-9]|3[01]))?|W([0-4]\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\d|[12]\d{2}|3([0-5]\d|6[1-6])))([T\s]((([01]\d|2[0-3])((:?)[0-5]\d)?|24\:?00)([\.,]\d+(?!:))?)?(\17[0-5]\d([\.,]\d+)?)?([zZ]|([\+-])([01]\d|2[0-3]):?([0-5]\d)?)?)?)?$/' | |||
| )->end() | |||
| ->arrayNode('encoder') | |||
| ->scalarNode('clock_skew')->defaultValue(60)->end() | |||
There was a problem hiding this comment.
Could you make sure to set a default value of 0?
There was a problem hiding this comment.
done, good idea, keeping the behaviour the same as without these changes.
| @@ -158,7 +162,7 @@ protected function getCurrentTime() | |||
|
|
|||
| protected function isTokenFromFuture($created) | |||
| { | |||
| return strtotime($created) > strtotime($this->getCurrentTime()); | |||
| return strtotime($created) - $this->clockSkew > strtotime($this->getCurrentTime()); | |||
There was a problem hiding this comment.
If we take clock skew (offset) into consideration upon determination whether the token is from the future (by subtracting the skew from the created time), shouldn't we also take the same clock skew (offset) into consideration when determining whether the token is valid (by adding the skew to the created time)?
Perhaps extracting https://github.com/hostage-nl/EscapeWSSEAuthenticationBundle/blob/0b1c36e8151049aba7beeaa27045dd19ca30d65d/Security/Core/Authentication/Provider/Provider.php#L125-L129 into a isTokenExpired-method, where clock skew is used as follows?
strtotime($this->getCurrentTime()) - strtotime($created) - $this->clockSkew > $this->lifetime
There was a problem hiding this comment.
Well, i initially implemented something like this, but the opposite. Your solution would limit the lifetime with correctly synced clocks. I considered the clock skew to be a margin of acceptable error, the allowed time difference between the client clock and the systems clock. So the clock skew would have to be added to the current time, so that a client clock which would be in de past, would have an extended lifetime of clock skew seconds.
Then i thought, is this really a nice to have feature? For a client clock being set to 29 secs in to the future and a clock skew setting of 30 secs, this would mean extending the lifetime by 59 seconds, which didn't feel like something that would be desirable.
I came to the conclusion it would be better to determine the clock skew automatically by determining the difference between the "Created" timestamp of the requesting WSSE header and the servers current time. I was confused about if it would be possible to create something like this, and because the project i was working on was fixed by my patch, i moved on and forgot about it.
So for now i would suggest not using the clock skew for expiration time and maybe file a feature request for dynamic determination of the clock skew.
| @@ -46,6 +46,7 @@ public function testCreate() | |||
| $profile = 'someprofile'; | |||
| $lifetime = 300; | |||
| $date_format = '/^([\+-]?\d{4}(?!\d{2}\b))((-?)((0[1-9]|1[0-2])(\3([12]\d|0[1-9]|3[01]))?|W([0-4]\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\d|[12]\d{2}|3([0-5]\d|6[1-6])))([T\s]((([01]\d|2[0-3])((:?)[0-5]\d)?|24\:?00)([\.,]\d+(?!:))?)?(\17[0-5]\d([\.,]\d+)?)?([zZ]|([\+-])([01]\d|2[0-3]):?([0-5]\d)?)?)?)?$/'; | |||
| $clock_skew = 60; | |||
There was a problem hiding this comment.
I'd suggest using the default (0) here in the existing tests, but adding some specific tests for the clock skew feature.
Hi,
I experience problems with clients with a slight clock skew, even though their time is synced (the default microsoft way). The time is a tiny bit in the future so WSSE authentication always fails. The server is properly synced with ntp.
With clock skew configuration parameter i added, i've introduced a margin within which clock skew is allowed.
I would appreciate if you could merge this pull request.
Thanks!
martijn.