Hi, Michael. Let me try again with more specifics. I'm required to mash my
service into another organization's authentication scheme, ditching my own
secure methods for their cross-domain unencrypted, unsigned cookie.
1. Foreign server, foreign.foo.com, presents a form to a user requesting
userid/password. Foreign server accepts credentials and creates simple
session cookie whose domain is foo.com containing a string of
unencrypted key/value pairs.
2. User comes to my local server, local.foo.com, and sends along his
cookie for domain foo.com. I need to parse out one of the key/value
pairs and populate an environment variable (aside from REMOTE_USER)
with the pair's data. If the user comes without the cookie or without
appropriate data in the cookie, I need to redirect him to foreign.
I am also asked to not create any other cookies. All the data I need is in
the one cookie that comes from foreign. So, my needs boil down to:
1. Read data from existing cookie.
1a. Redirect if cookie is non-existent.
2. Accept or reject cookie.
2a. If rejected, redirect.
2b. If accepted, populate environment and return.
On a side note, if anyone finds the proposed design lacking for security or
anything else, please let me know.
Thanks,
Christian
-----------------
Christian Gilmore
Technology Leader
GeT WW Global Applications Development
IBM Software Group
> -----Original Message-----
> From: Michael Schout [mailto:mschout@;gkg.net]
> Sent: Tuesday, October 22, 2002 2:00 PM
> To: Christian Gilmore
> Cc: Modperl Mailing List (E-mail)
> Subject: Re: AuthCookie questions
>
>
> Christian Gilmore wrote:
>
> > 4. I cannot modify the cookie and should not send
> additional cookies.
>
> [snip]
>
> > about 4. Can I use an unmodified AuthCookie to ensure that
> whatever format
> > the inbound cookie is in is sufficient and will not need to
> be modified or
> > supplemented? I believe the answer is no, and, if it is,
> should this be
>
> What exactly do you mean by this? What are you trying to accomplish?
> Do you mean "The user cannot modify the cookie?" If thats what you
> mean, then yes, there are ways to do that. Basically you have to
> cryptographically sign the cookie using a secret that is
> unknown to the
> end user. There is an example of this in the Eagle book, and
> Apache::AuthTicket uses a scheme similar to this. Because you cant
> control what the cookie server sends, you'd probably have to do some
> sort of double redirect For example:
>
> o user is redirected to auth server
> o auth server returns cookie and redirects to /SIGNHANDLER
> o signhandler gets the cookie, cryptographically signs it, and
> returns the cookie to the client and redirects to real location
> o user is redirected to real location.
>
> If thats not what you mean, please elaborate.
>
> Regards,
> Mike
>
