Josh Howlett <[EMAIL PROTECTED]> wrote: > Assume that there was a mechanism to send the cookie generated by > mod_auth_radius to the remote RADIUS server where it could be stored > (for the lifetime of the cookie).
That would probably not be a good idea, mostly due to increased load on the RADIUS server. > Assume also that there existed an "rlm_cookie" authentication module on > that remote RADIUS server that allows the RADIUS server to authenticate > a user on the basis of a cookie. > > In this hypothetical case, would it be feasible for a user to present > the same cookie to a different WWW server, which could then attempt to > authenticate the user by passing the cookie to the remote RADIUS > server? (ie. thereby avoiding the need for the user to present his > credentials again - the idea being to enable single sign-on). > > Is this idea crack-pot or simply brain-dead? It's a hack, but I see reason why it wouldn't work. You would want to be careful creating the cookie. See the current 'mod_auth_radius' code for it's method. You want the cookie to be signed (somehow), to contain a timestamp for expiry, some users credentials (IP, name etc), to minimize the potential for someone to snoop the cookie and use it themselves. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html