Re: Cookie stealing and replay in a corporate single sign on environment

[Willie Northway <willn () umich edu>]

On Jun 15, 2005, at 1:52 AM, Willard Fernortner wrote:
> -- Web single sign-on typically works using a shared cookie that is 
> passed to all intranet web sites in the corporate domain (e.g. 
> *.myintranet.com).  Because these cookies are passed to ALL internal 
> web sites, there are plenty of opportunities for these cookies to be 
> stolen:

This is one of the drawbacks with using domain cookies. You might be 
interested in looking at cosign:

        http://www.weblogin.org/

The biggest difference with cosign is that it uses a back-side SSL 
connection to acquire credentials for each service, not relying upon a 
cookie issued by another server.

For example, you might login to the central SSO server, then attempt to 
access a protected resource. If that resource hasn't issued you a 
service cookie, then one will be created and registered with your 
session on the central weblogin server through a back-side SSL 
connection. For each service you use, a new cookie is created and 
registered. If a single service cookie is compromised, the attacker 
can't gain access to the rest of the SSO environment.

Send email to cosign () umich edu if you have further questions.

- Willie

--
Willie Northway                  University of Michigan Webmaster Team
http://willienorthway.com/       http://www.umich.edu/~umweb/