Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I secure an icalendar (.ics) subscription?

Tags:

php

apache

icalendar

cakephp

I have a multi-user website and want to publish an individual icalendar subscription file (.ics) for each user.

Our apache server is configured to only provide access over https.

One method I have considered is, when the user first asks for their subscription URL, generate a long, random secret key and include that in the URL. A hash of that key would then be stored in the database. Example: https://site.com/calendar/user_id/dQXeCgtiOmZ5lAXoedmujiuA47VmCgA5OIfE6vZ8BhJT3Rxh20b9Ci.ics

All pages in our cakephp app require the user to be logged in (expect the login page obviously). I would configure the ics file to also not require the user to be logged in, but to only display when the correct secret key (tested against the hash) was supplied.

Are there any drawbacks to this method?

Is there a different method that I should be using?

I have seen examples of people including basic authentication in the subscription URL, but that sounds like it would be worse. Example: https://user:[email protected]/calendar/user_id

This is being deployed in a school environment, so the iCalendar subscriptions contain fairly mundane things such as class timetables and assignment due dates, but I still want to keep it secure.

like image 620
Stoz Avatar asked May 26 '14 01:05

Stoz

1 Answers

The drawback to adding non-expiring secrets to urls is that they may 'leak' to other systems. Anything that reads an iCalendar feed will not really consider the feed url itself to be very sensitive, and these urls may be stored in parts of the system that other applications may read.

The iCalendar feeds may be cached, so cached copies of that feed + their secrets may live in local browser caches, corporate network caches and other intermediaries.

When a user clicks a url like that for the first time, browser toolbars may log the request and send it to external services as well.

That's just a few vectors. Using basic auth is not worse, just don't embed it in the url and require from the user to type their password again.

I can't decide for you whether any of this is an acceptable risk though. We do use secret urls for some stuff.

like image 103
Evert Avatar answered Oct 11 '22 10:10

Evert
Sign in to Comment

Related questions

Add delay before PHP echo
Using Symfony2 assetic results in 404
PHP/MYSQL Update only first row with defined value
xsendFile downloads have 0 bytes
How can I use str_getcsv() and ignore commas between quotes?
How to Integrate TinyMCE editor with php
Get Return Value from SQL Stored Procedure using PHP
Call mkdir() once in method of controller
How to modify the "cn" and "name" attributes in Active Directory via PHP LDAP class
Magento registration form
Display single latest instagram photo on your website
Search string in php for characters that are not
PNG_ALL_FILTERS, adaptive filtering in php gd
phpmyadmin 3.4.0 ERD to PDF
Yii2: How to make validation rule message not to be encoded?
PHP cannot read sessions from NFS share
Get Visitors Name from Logged In Social Networks
Why is CodeIgniter exhausing allowed memory size?
What happened to php_mysql.dll?
Laravel 4 Artisan error when trying to install a bundle

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!