Re: AuthCookie questions
check here http://modperl.home.att.net Peter - Original Message - From: "Christian Gilmore" <[EMAIL PROTECTED]> To: "'Michael Schout'" <[EMAIL PROTECTED]> Cc: "'Modperl Mailing List (E-mail)'" <[EMAIL PROTECTED]> Sent: Tuesday, October 22, 2002 12:13 PM Subject: RE: AuthCookie questions > Hi, Michael. Let me try again with more specifics. I'm required to mash my > service into another organization's authentication scheme, ditching my own > secure methods for their cross-domain unencrypted, unsigned cookie. > > 1. Foreign server, foreign.foo.com, presents a form to a user requesting > userid/password. Foreign server accepts credentials and creates simple > session cookie whose domain is foo.com containing a string of > unencrypted key/value pairs. > 2. User comes to my local server, local.foo.com, and sends along his > cookie for domain foo.com. I need to parse out one of the key/value > pairs and populate an environment variable (aside from REMOTE_USER) > with the pair's data. If the user comes without the cookie or without > appropriate data in the cookie, I need to redirect him to foreign. > > I am also asked to not create any other cookies. All the data I need is in > the one cookie that comes from foreign. So, my needs boil down to: > > 1. Read data from existing cookie. > 1a. Redirect if cookie is non-existent. > 2. Accept or reject cookie. > 2a. If rejected, redirect. > 2b. If accepted, populate environment and return. > > On a side note, if anyone finds the proposed design lacking for security or > anything else, please let me know. > > Thanks, > Christian > > - > Christian Gilmore > Technology Leader > GeT WW Global Applications Development > IBM Software Group > > > > -Original Message- > > From: Michael Schout [mailto:mschout@;gkg.net] > > Sent: Tuesday, October 22, 2002 2:00 PM > > To: Christian Gilmore > > Cc: Modperl Mailing List (E-mail) > > Subject: Re: AuthCookie questions > > > > > > Christian Gilmore wrote: > > > > > 4. I cannot modify the cookie and should not send > > additional cookies. > > > > [snip] > > > > > about 4. Can I use an unmodified AuthCookie to ensure that > > whatever format > > > the inbound cookie is in is sufficient and will not need to > > be modified or > > > supplemented? I believe the answer is no, and, if it is, > > should this be > > > > What exactly do you mean by this? What are you trying to accomplish? > > Do you mean "The user cannot modify the cookie?" If thats what you > > mean, then yes, there are ways to do that. Basically you have to > > cryptographically sign the cookie using a secret that is > > unknown to the > > end user. There is an example of this in the Eagle book, and > > Apache::AuthTicket uses a scheme similar to this. Because you cant > > control what the cookie server sends, you'd probably have to do some > > sort of double redirect For example: > > > > o user is redirected to auth server > > o auth server returns cookie and redirects to /SIGNHANDLER > > o signhandler gets the cookie, cryptographically signs it, and > >returns the cookie to the client and redirects to real location > > o user is redirected to real location. > > > > If thats not what you mean, please elaborate. > > > > Regards, > > Mike > > >
Re: AuthCookie questions
Christian Gilmore wrote: 1. Read data from existing cookie. 1a. Redirect if cookie is non-existent. 2. Accept or reject cookie. 2a. If rejected, redirect. 2b. If accepted, populate environment and return. Sounds to me like you really dont need AuthCookie at all. You could just as easily do all of this by writing a PerlAccessHandler that does the above things. I'll second Perrin's comments. You definately have security problems with this. The only way to do this securely is to cryptograpically sign the cookie and to encrypt the data on the wire using SSL. Mike
Re: AuthCookie questions
Christian Gilmore wrote: Hi, Michael. Let me try again with more specifics. I'm required to mash my service into another organization's authentication scheme, ditching my own secure methods for their cross-domain unencrypted, unsigned cookie. [...] On a side note, if anyone finds the proposed design lacking for security or anything else, please let me know. It sounds like you are already aware that it lacks security. The important thing to remember about cookies is that unless you use some kind of cryptographic signature to verify them you have absolutely no idea if the cookie came from your site or not. People can very easilly put whatever they want in a cookie to send to your site usingone of the thousands of HTTP testing programs and libraries, and if you use that cookie as a key to a data structure they may be able to gain access to other people's data. Even if you use a crypto signature they can still sniff someone else's legit cookie off the wire, but at least you can prevent them from tampering with the contents of the cookie. "Never trust the client." - Perrin
RE: AuthCookie questions
Hi, Michael. Let me try again with more specifics. I'm required to mash my service into another organization's authentication scheme, ditching my own secure methods for their cross-domain unencrypted, unsigned cookie. 1. Foreign server, foreign.foo.com, presents a form to a user requesting userid/password. Foreign server accepts credentials and creates simple session cookie whose domain is foo.com containing a string of unencrypted key/value pairs. 2. User comes to my local server, local.foo.com, and sends along his cookie for domain foo.com. I need to parse out one of the key/value pairs and populate an environment variable (aside from REMOTE_USER) with the pair's data. If the user comes without the cookie or without appropriate data in the cookie, I need to redirect him to foreign. I am also asked to not create any other cookies. All the data I need is in the one cookie that comes from foreign. So, my needs boil down to: 1. Read data from existing cookie. 1a. Redirect if cookie is non-existent. 2. Accept or reject cookie. 2a. If rejected, redirect. 2b. If accepted, populate environment and return. On a side note, if anyone finds the proposed design lacking for security or anything else, please let me know. Thanks, Christian - Christian Gilmore Technology Leader GeT WW Global Applications Development IBM Software Group > -Original Message- > From: Michael Schout [mailto:mschout@;gkg.net] > Sent: Tuesday, October 22, 2002 2:00 PM > To: Christian Gilmore > Cc: Modperl Mailing List (E-mail) > Subject: Re: AuthCookie questions > > > Christian Gilmore wrote: > > > 4. I cannot modify the cookie and should not send > additional cookies. > > [snip] > > > about 4. Can I use an unmodified AuthCookie to ensure that > whatever format > > the inbound cookie is in is sufficient and will not need to > be modified or > > supplemented? I believe the answer is no, and, if it is, > should this be > > What exactly do you mean by this? What are you trying to accomplish? > Do you mean "The user cannot modify the cookie?" If thats what you > mean, then yes, there are ways to do that. Basically you have to > cryptographically sign the cookie using a secret that is > unknown to the > end user. There is an example of this in the Eagle book, and > Apache::AuthTicket uses a scheme similar to this. Because you cant > control what the cookie server sends, you'd probably have to do some > sort of double redirect For example: > > o user is redirected to auth server > o auth server returns cookie and redirects to /SIGNHANDLER > o signhandler gets the cookie, cryptographically signs it, and >returns the cookie to the client and redirects to real location > o user is redirected to real location. > > If thats not what you mean, please elaborate. > > Regards, > Mike >
Re: AuthCookie questions
Christian Gilmore wrote: 4. I cannot modify the cookie and should not send additional cookies. [snip] about 4. Can I use an unmodified AuthCookie to ensure that whatever format the inbound cookie is in is sufficient and will not need to be modified or supplemented? I believe the answer is no, and, if it is, should this be What exactly do you mean by this? What are you trying to accomplish? Do you mean "The user cannot modify the cookie?" If thats what you mean, then yes, there are ways to do that. Basically you have to cryptographically sign the cookie using a secret that is unknown to the end user. There is an example of this in the Eagle book, and Apache::AuthTicket uses a scheme similar to this. Because you cant control what the cookie server sends, you'd probably have to do some sort of double redirect For example: o user is redirected to auth server o auth server returns cookie and redirects to /SIGNHANDLER o signhandler gets the cookie, cryptographically signs it, and returns the cookie to the client and redirects to real location o user is redirected to real location. If thats not what you mean, please elaborate. Regards, Mike
AuthCookie questions
I'm considering use of Apache::AuthCookie in my environment. Here's the problem I need to solve. I'm not certain if AuthCookie will, without modification, support my needs. 1. Authentication cookies are doled out from a centralized server that is out of my control and cannot be modified to suit my local needs (if any). 2. If the cookie is not present when a user hits my site, I redirect to the centralized server and leave breadcrumbs in the redirect for the cookie server to redirect back to me after giving out the cookie. 3. I need to parse the cookie to determine validity and populate certain environmental variables. 4. I cannot modify the cookie and should not send additional cookies. I know that AuthCookie in combination with a locally-written subclass to implement the authen_ses_key method will handle needs 1-3. I'm uncertain about 4. Can I use an unmodified AuthCookie to ensure that whatever format the inbound cookie is in is sufficient and will not need to be modified or supplemented? I believe the answer is no, and, if it is, should this be something that AuthCookie be modified to handle? Thanks, Christian - Christian Gilmore Technology Leader GeT WW Global Applications Development IBM Software Group
