WebApp Sec mailing list archives
Re: http/spnego connections
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Fri, 19 May 2006 07:35:14 -0700
Hi Adam, As far as I understand SPNEGO is a kerberos implementation for web browsers. So it works the same way as a kerberos client would, i.e. once you get the ticket it is valid for certain amount of time. You don't need a persistent connection. The ticket that the client gets from the Ticket Granting Server has the following syntax: Ticket (client, service) : service, [client, client address, validity, Key(client, service)]Key(client, TGS) Where "service" is the the resource that the client is trying to access. In this case, the Web application. "Validity" tells how long the ticket should be valid for. You can force expire tickets on kerborized applications/client. On Active Directory you can the set the ticket lifetime in the Kerberos Policy setting using Group Policy Managment Console. -- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ----------- ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- Non SSL Bank Login Forms wilson . amajohn (May 18)
- Re: Non SSL Bank Login Forms Wil Clouser (May 18)
- Message not available
- Fwd: Non SSL Bank Login Forms John Kennedy (May 18)
- Message not available
- Message not available
- Fwd: Non SSL Bank Login Forms John Kennedy (May 18)
- Re: Non SSL Bank Login Forms Wil Clouser (May 18)
- Re: Non SSL Bank Login Forms Adam Tuliper (May 19)
- http/spnego connections Adam Tuliper (May 19)
- Re: http/spnego connections Saqib Ali (May 19)
- Re: http/spnego connections Adam Tuliper (May 19)
- Re: http/spnego connections Adam Tuliper (May 19)
- Re: Non SSL Bank Login Forms Don Jackson (May 19)
- <Possible follow-ups>
- RE: Non SSL Bank Login Forms James Strassburg (May 19)