WebApp Sec mailing list archives
Re: Cookie stealing and replay in a corporate single sign on environment
From: Saqib Ali <docbook.xml () gmail com>
Date: Wed, 15 Jun 2005 07:39:40 -0700
-- Web single sign-on typically works using a shared cookie that is passed to all intranet web sites in the corporate domain (e.g. *.myintranet.com). Because these cookies are passed to ALL internal web sites, there are plenty of opportunities for these cookies to be stolen:
Any SSO that uses domain wide cookies, has inherent security issues (e.g CSRF). Try SPNEGO < http://www.xml-dev.com/blog/index.php?action=viewtopic&id=133 > instead. SPNEGO provides a SSO for web based apps in a KERBEROS enabled environment. Basically it allows web applications to automatically authenticate clients who have valid Kerberos credentials. -- In Peace, Saqib Ali http://www.xml-dev.com/
Current thread:
- Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 14)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willie Northway (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Saqib Ali (Jun 15)
- <Possible follow-ups>
- RE: Cookie stealing and replay in a corporate single sign on environment Cyrill Osterwalder (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Ivan Ristic (Jun 15)
- RE: Cookie stealing and replay in a corporate single sign on environment Cyrill Osterwalder (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)