Yireo - Extensions, tutorials and blog for Magento and Joomla!

How MageBridge improves security

Coming back from a hackers congress in Las Vegas, the Yireo team has refreshed its memory in regard to security. And it comes to mind where MageBridge stands regarding security. It combines Joomla! and Magento, but does it introduce new security risks? What counter-measures does it take against hackers? Here's an overview.

Not our problem

The first and most important thing to be said here is that it's not our problem. True, we sell a product commercially and it's fair to ask some support here. But because MageBridge is nothing more than the glue between Joomla! and Magento, the real security issues are within Joomla! and Magento and these issues need to be resolved there. While MageBridge of course is responsible for mapping users or authorizing access to certain pages, the actual configuration of security needs to be done in Joomla! and Magento.

Those parts of MageBridge that need to be secure, are already secured. For instance, passwords are never send as plain text over the Internet - even if SSL is disabled, we still use our encryption algorithm. But combining Joomla! and Magento also opens up for some new opportunities. So let's discuss those here.

Improving session security

Synchronizing users is all about sessions. Every time an user logs into Joomla!, a session is started. MageBridge not only needs to keep track of the Joomla! session, but also of the bridge-session when connecting to Magento. Even worse, when implementing Single Sign On, this bridge-session needs to be in sync with the browser-session. MageBridge doesn't mess around with simple SSO-techniques like cookie-sharing (which introduces extra security risks), but instead synchronizes sessions in a secure manner.

Because of this dealing with sessions, MageBridge is in charge when it comes to Magento-sessions in Joomla!. And it thus allows for improving them. For instance, when you login to Magento, your session-ID remains the same as it was before. This allows for session fixation attacks, during which a hacker tries to guess the session-ID and take-over the session. This is prevented by regenerating the session-ID as soon as something important is changing (login, logout). At the moment MageBridge implements this security feature when using Single Sign On, but we are investigating using this technique more often.

Improving forms

Since version 1.5.3 or so, Joomla! has introduced extra security for webforms by using tokens. Every form is shipped with a token, making it unique per session. And if the form is submitted without a valid token, the page crashes. This makes it very hard for hackers to spoof forms (but not impossible). Magento does not use such a mechanism (yet).

We are currently working on adding the Joomla! token-mechanism (JToken) to Magento blocks. This will secure those forms instantly without the need to modify the Magento theme or modules. This is certainly a feature which will be implemented within a month or so.