check here http://modperl.home.att.net Peter
----- Original Message ----- From: "Christian Gilmore" <[EMAIL PROTECTED]> To: "'Michael Schout'" <[EMAIL PROTECTED]> Cc: "'Modperl Mailing List (E-mail)'" <[EMAIL PROTECTED]> Sent: Tuesday, October 22, 2002 12:13 PM Subject: RE: AuthCookie questions > Hi, Michael. Let me try again with more specifics. I'm required to mash my > service into another organization's authentication scheme, ditching my own > secure methods for their cross-domain unencrypted, unsigned cookie. > > 1. Foreign server, foreign.foo.com, presents a form to a user requesting > userid/password. Foreign server accepts credentials and creates simple > session cookie whose domain is foo.com containing a string of > unencrypted key/value pairs. > 2. User comes to my local server, local.foo.com, and sends along his > cookie for domain foo.com. I need to parse out one of the key/value > pairs and populate an environment variable (aside from REMOTE_USER) > with the pair's data. If the user comes without the cookie or without > appropriate data in the cookie, I need to redirect him to foreign. > > I am also asked to not create any other cookies. All the data I need is in > the one cookie that comes from foreign. So, my needs boil down to: > > 1. Read data from existing cookie. > 1a. Redirect if cookie is non-existent. > 2. Accept or reject cookie. > 2a. If rejected, redirect. > 2b. If accepted, populate environment and return. > > On a side note, if anyone finds the proposed design lacking for security or > anything else, please let me know. > > Thanks, > Christian > > ----------------- > Christian Gilmore > Technology Leader > GeT WW Global Applications Development > IBM Software Group > > > > -----Original Message----- > > From: Michael Schout [mailto:mschout@;gkg.net] > > Sent: Tuesday, October 22, 2002 2:00 PM > > To: Christian Gilmore > > Cc: Modperl Mailing List (E-mail) > > Subject: Re: AuthCookie questions > > > > > > Christian Gilmore wrote: > > > > > 4. I cannot modify the cookie and should not send > > additional cookies. > > > > [snip] > > > > > about 4. Can I use an unmodified AuthCookie to ensure that > > whatever format > > > the inbound cookie is in is sufficient and will not need to > > be modified or > > > supplemented? I believe the answer is no, and, if it is, > > should this be > > > > What exactly do you mean by this? What are you trying to accomplish? > > Do you mean "The user cannot modify the cookie?" If thats what you > > mean, then yes, there are ways to do that. Basically you have to > > cryptographically sign the cookie using a secret that is > > unknown to the > > end user. There is an example of this in the Eagle book, and > > Apache::AuthTicket uses a scheme similar to this. Because you cant > > control what the cookie server sends, you'd probably have to do some > > sort of double redirect For example: > > > > o user is redirected to auth server > > o auth server returns cookie and redirects to /SIGNHANDLER > > o signhandler gets the cookie, cryptographically signs it, and > > returns the cookie to the client and redirects to real location > > o user is redirected to real location. > > > > If thats not what you mean, please elaborate. > > > > Regards, > > Mike > > >