WebApp Sec mailing list archives
Re: Cookie stealing and replay in a corporate single sign on environment
From: Willie Northway <willn () umich edu>
Date: Wed, 15 Jun 2005 09:57:59 -0400
On Jun 15, 2005, at 1:52 AM, Willard Fernortner wrote:
-- Web single sign-on typically works using a shared cookie that is passed to all intranet web sites in the corporate domain (e.g. *.myintranet.com). Because these cookies are passed to ALL internal web sites, there are plenty of opportunities for these cookies to be stolen:
This is one of the drawbacks with using domain cookies. You might be interested in looking at cosign:
http://www.weblogin.org/The biggest difference with cosign is that it uses a back-side SSL connection to acquire credentials for each service, not relying upon a cookie issued by another server.
For example, you might login to the central SSO server, then attempt to access a protected resource. If that resource hasn't issued you a service cookie, then one will be created and registered with your session on the central weblogin server through a back-side SSL connection. For each service you use, a new cookie is created and registered. If a single service cookie is compromised, the attacker can't gain access to the rest of the SSO environment.
Send email to cosign () umich edu if you have further questions. - Willie -- Willie Northway University of Michigan Webmaster Team http://willienorthway.com/ http://www.umich.edu/~umweb/
Current thread:
- Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 14)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willie Northway (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Saqib Ali (Jun 15)
- <Possible follow-ups>
- RE: Cookie stealing and replay in a corporate single sign on environment Cyrill Osterwalder (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Ivan Ristic (Jun 15)
- RE: Cookie stealing and replay in a corporate single sign on environment Cyrill Osterwalder (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)