WebApp Sec mailing list archives
Re: Cookie stealing and replay in a corporate single sign on environment
From: Ivan Ristic <ivan.ristic () gmail com>
Date: Wed, 15 Jun 2005 14:09:04 +0100
On 6/15/05, Cyrill Osterwalder <cyrill.osterwalder () seclutions com> wrote:
The way you describe your SSO environment I think that the SSL session ID would solve your problems.
Wouldn't that approach work only if there is a single SSL server and thus only one SSL session ID per cookie? In a typical SSO scenario there are many web servers and thus many SSL session IDs used by the same user. What happens if someone steals a cookie and uses it in a request that establishes a new SSL session with a server that has not seen that cookie yet? The only solution where I can see this approach working (for SSO deployments) is where a reverse proxy is used to terminate SSL and map all the web servers into a single domain space at the same time. This would ensure that only one SSL connection per user is used, and allow for correlation between a cookie and its SSL session ID. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org
Current thread:
- Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 14)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willie Northway (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Saqib Ali (Jun 15)
- <Possible follow-ups>
- RE: Cookie stealing and replay in a corporate single sign on environment Cyrill Osterwalder (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Ivan Ristic (Jun 15)
- RE: Cookie stealing and replay in a corporate single sign on environment Cyrill Osterwalder (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)