WebApp Sec mailing list archives
Re: Transferring a Session
From: Willie Northway <willn () umich edu>
Date: Wed, 5 May 2004 12:05:53 -0400
On May 3, 2004, at 6:33 PM, David Robert wrote:
I have a problem I would like some input on. I need to implement a solution that allows one website to securely transfer 'logged in' state to anotherwebsite.
You may find that the cosign project fulfills your needs:
http://weblogin.org/
Cosign is an open source single sign-on solution which manages user
logins through a central server. Once registered with the central
server, users can freely visit any cosign protected sites for which
they have authorization. These protected sites connect to the central
cosign server through a back-side SSL connection to verify
authentication, and then create a service cookie for ease of subsequent
service visits.
This software is currently being used by the University of Michigan to manage several hundred thousand logins a day:
http://www.umich.edu/~umweb/software/cosign/cosign-discuss/ msg00005.html
3) System B is written in Java and uses SSL, form based, username/password authentication.
The cosign filters are put in place on the protected sites, and have been written for apache and IIS, and the java filter beta has recently been released.
The 'time dependent' nature of the last two are at the request of the client. They are concerned that the link can be read from the browser'scache by an attacker. Is this really a problem if the page on system A isset to not be cached?
The idle and hard-limit timeouts of the cosign session are both configurable. Once a cosign session has ended either through a timeout, or a user-action logout, the service cookie becomes worthless.
Below is a link to a description that Penn State has written about cosign:
http://et.aset.psu.edu/initiatives/credential/publications/
Feel free to contact cosign () umich edu if you have further questions.
- Willie
--
Willie Northway University of Michigan Webmaster Team
http://willienorthway.com/ http://www.umich.edu/~umweb/
Current thread:
- ISAPI dave kleiman (May 02)
- RE: ISAPI Philip Wagenaar (May 02)
- RE: ISAPI dave kleiman (May 02)
- Transferring a Session David Robert (May 05)
- Re: Transferring a Session Willie Northway (May 05)
- Re: Transferring a Session Blasted (May 05)
- Re: Transferring a Session Tim Bond (May 05)
- Re: Transferring a Session Rogan Dawes (May 05)
- <Possible follow-ups>
- RE: ISAPI Maxim Kostioukov (May 03)
- RE: ISAPI Philip Wagenaar (May 02)