WebApp Sec mailing list archives
Re: Transferring a Session
From: Blasted <blasted () tech9security com>
Date: Wed, 5 May 2004 04:58:35 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Would storing your sessions in a database work in this scenario? If the two systems dont share a database, you could also have another channel through which they replicate sessions like web services, running on another port, and have them send encrypted session information over it. The secondary system could reject the xfer if it wasnt from the right place. The cookie or session string would auth the user across the systems. - -David On Monday 03 May 2004 17:33, David Robert wrote:
Hello all, I have a problem I would like some input on. I need to implement a solution that allows one website to securely transfer 'logged in' state to another website. I know this problem must have been solved 100 times before but I have not found a simple 'open' standard procedure for solving this. Maybe it's just too simple? In any case, suggestions appreciated. Further details below. Requirements/Constraints: 1) System A authenticates users. 2) System A needs to present a link/form to the user that brings them to a logged in session on System B. 3) System B is written in Java and uses SSL, form based, username/password authentication. 4) Users are created on System B from System A data that identifies the user on System A (System A identifiers). This data is unique and unchanged over time. System B creates a tentative user (and generates a username/password) from this information. An administrator on System B will later authorize this creation. The System B username/password is never changed. 5) We are looking for a system that is easy to implement and consistent with the level of security already present - i.e. open to man in the middle attacks, etc. Solutions: There are 3 solutions I have been considering. They involve ensuring that: a) The link/POST the user uses to get to System B really came from System A. b) System A identifiers on the request have been unchanged. The solutions I am considering are: 1) Sign the parameters of the request generated on System A with a private key. Use the public key on system B to verify the sender and contents. 2) Create a service on system B that will create a time-dependent token. System A validates itself with B and gets a token. It includes it on the generated link/POST for the user. The token is used by system B to verify the request. 3) Like #1 but use a common secret key for both system A and B. Request parameters will be signed by this key. Recommendations on the signing algorithm to use? Of course, all requests between system A, B and the user are SSL. The 'time dependent' nature of the last two are at the request of the client. They are concerned that the link can be read from the browser's cache by an attacker. Is this really a problem if the page on system A is set to not be cached? Any input appreciated, -David -----Original Message----- From: dave kleiman [mailto:dave () isecureu com] Sent: Sunday, May 02, 2004 1:08 AM To: webappsec () securityfocus com Subject: ISAPI Hello, Is there a timeout setting anywhere for and ISAPI.dll in IIS5. We have an issue where the ISAPI request is made, the sever is trying to write it to the client and it is timing out. _____________________________________ Dave Kleiman, CISSP, MCSE, CISM, CIFI www.SecurityBreachResponse.com
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAmLrLGiw6ooXcmeARArrLAJ9485QZ2gyALYZq7gXahmVYV9cGSwCcDljx abNEfqZOhAxcfdZTMapVpYU= =6PTa -----END PGP SIGNATURE-----
Current thread:
- ISAPI dave kleiman (May 02)
- RE: ISAPI Philip Wagenaar (May 02)
- RE: ISAPI dave kleiman (May 02)
- Transferring a Session David Robert (May 05)
- Re: Transferring a Session Willie Northway (May 05)
- Re: Transferring a Session Blasted (May 05)
- Re: Transferring a Session Tim Bond (May 05)
- Re: Transferring a Session Rogan Dawes (May 05)
- <Possible follow-ups>
- RE: ISAPI Maxim Kostioukov (May 03)
- RE: ISAPI Philip Wagenaar (May 02)