Martin: Thanks for the detailed answer! On Apr 19, 2012, at 11:55 AM, Houtzager, Guus wrote:
> ... > Which means each protected site needs its own logout script to delete its own > service cookie. Smells like a security feature around access to cookies. Is > that correct? In part, yes. Cosign was consciously designed to use host cookies and not domain cookies. The former are only sent to the host that set the cookies in the first place. The latter are sent to any host with the same domain. Cosign's model is to have one login cookie (the one set after authentication on the weblogin server), and many service cookies bound to the weblogin cookie. All cookie values are random: they contain no information about the user, the login cookie itself, or any other service cookies. As a result, compromise of one cosign service does not necessarily mean compromise of any other service. andrew > >> -----Original Message----- >> From: Martin Sucha [mailto:such...@uniba.sk] >> Sent: donderdag 19 april 2012 5:03 >> To: cosign-discuss@lists.sourceforge.net >> Subject: Re: [Cosign-discuss] Logout issue >> >> Hi, >> >> On Thursday 19 April 2012 16:14:11 Houtzager, Guus wrote: >>> To see what's what I put the following lines in >>> https://portal.example.com/logout.php: >>> >>> setcookie(cosign, "null", time()-3600, '/', "", TRUE ); >>> setcookie(cosign-portal, "null", time()-3600, '/', "", TRUE ); >> The problem is here. You should put the cookie name in a string, as in: >> setcookie("cosign", "null", time()-3600, '/', "", TRUE ); >> setcookie("cosign-portal", "null", time()-3600, '/', "", TRUE ); >> >> The first setcookie works, because PHP evaluates undefined constant to >> its name, hence cosign evaluates to "cosign". On the other hand cosign- >> portal is treated as "cosign"-"portal" which then evaluates to 0 (as >> both strings evaluate to zero and 0-0=0) >> >> Regards, >> Martin Sucha >> >> >> ----------------------------------------------------------------------- >> ------- >> For Developers, A Lot Can Happen In A Second. >> Boundary is the first to Know...and Tell You. >> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! >> http://p.sf.net/sfu/Boundary-d2dvs2 >> _______________________________________________ >> Cosign-discuss mailing list >> Cosign-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss > > > > > > > This message contains information that may be privileged or confidential and > is the property of the Capgemini Group. It is > intended only for the person to whom it is addressed. If you are not the > intended recipient, you are not authorized to > read, print, retain, copy, disseminate, distribute, or use this message or > any part thereof. If you receive this message > in error, please notify the sender immediately and delete all copies of this > message. > > > ------------------------------------------------------------------------------ > For Developers, A Lot Can Happen In A Second. > Boundary is the first to Know...and Tell You. > Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! > http://p.sf.net/sfu/Boundary-d2dvs2 > _______________________________________________ > Cosign-discuss mailing list > Cosign-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/cosign-discuss ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
