Re: Single login/sign-on for different web apps?

2002-01-20 Thread Ed Grimm

On Wed, 16 Jan 2002, Paul Lindner wrote:
 On Wed, Jan 16, 2002 at 06:56:37PM -0500, Vsevolod Ilyushchenko wrote:
  3) Perl-based applications can just use the module and the common key
 to decrypt the contents of the cookie to find the authenticated
 username.  If the cookie is not present redirect to the central
 authentication page, passing in the URL to return to after
 Hmmm... Can I do it securely without using Kerberos? I think so. Looks like
 if I use https instead of http, people won't be able to steal my (encoded)
 session information as it is transmitted. And I can also add the IP address
 to the cookie information.
 But the cookies file might be readable by other people! If they can steal
 that file and change the IP address of another machine to yours, they can
 pretend they are you!
 I wonder if there is a way out of this...
 Yes, you use the timestamp.  Just reauthenticate the user when they
 try to do 'sensitive' activities.

No, use session cookies - they're not stored on disk.  If you need the
system to retain knowledge through a browser shutdown, you can use a
timestamped cookie to retain the user ID, but don't have it allow them
to do anything other than not have to type their user ID in again
(password screen has user ID filled out for them.)

One can also mark the cookies such that they'll only be transmitted over

 $cookie = CGI::Cookie-new(-name   = 'login',
-value  = 
tgape::setcookiepassword($uid, $pass),
-domain = '',
-path   = '/',
-secure = 1,

If you feel the need to timestamp your session cookies, make the cookie
include an encrypted timestamp.

 For example you might allow someone to view their bank balance if they
 typed their password within the last 2 hours.  Transferring money
 might require a valid password within the last 10 minutes..

Ah, but many systems will refresh a cookie on activity.  So they view
their balance, get a new cookie, and then transfer money.

 Of course, the best authentication system for banking I've seen is
 from UBS.  They send you a scratchlist of around 100 numbers.  Every
 time you login you use one of the numbers and cross it off.  Very

All I need to do is find where you left the list.  Written passwords are
not anywhere near as secure as memorized passwords, unless the person
carrying them around is really conscious about security concerns.


Re: Single login/sign-on for different web apps?

2002-01-20 Thread Ed Grimm

No.  There are very important reasons why Apache by default puts an ACL
restricting .ht* from being viewable.  (Basically, the password encryption
used in said file is moderately easily cracked via brute force.)

One could use a file distributed using rsync(1) or some such (preferably
with RSYNC_RSH=ssh).  However, that's still a bit on the unsecure side,
unless you really do trust everyone who is running one of these web


On Wed, 16 Jan 2002, Medi Montaseri wrote:

 I wonder if one could change the HTTP Server's behavior to process a
 distributed version of AuthUserFile and AuthGroupFile.
 That instead of
 AuthUserFile /some/secure/directory/.htpasswd
 One would say
 Then write a GUI (web) inteface to this password and group file and
 you have distributed authentication system.
 Ed Grimm wrote:
  On Wed, 16 Jan 2002, Medi Montaseri wrote:
   I think Netegrity single sing-on system modifies the HTTP server
   (possible with mod_perl) to overload or override its native
   authoentication and instead contact a Host, Database or LDAP to get
   the yes or no along with expiration data it then sends its finding
   to the CGI by sending additonal HTTP Header info. A CGI program can
   then go from there...
  Something like this.  Basically, it has modules, plugins, or access
  instructions, as appropriate, for various web servers, to configure them
  to use it.  I know it gives an LDAP interface, and I'm assuming it gives
  an LDAPS interface; I'm not sure what others it may present.
   I might not have this 100%, but perhaps we can learn from those
   commercial products.
   Someone suggested using LDAP and RDBMS, my question is why both, why
   not just RDBMS.
  Why not just LDAP?  As someone working on rolling out a single sign-on
  solution with LDAPS, I really want to know...  (We're planning on
  getting Netegrity for its distributed administration stuff; at that
  time, we'll start using its web server configuration stuff for any new
  web servers.  Until that time, we're rolling out LDAPS, and we're not
  currently planning on converting systems we roll out in the interm to
  Incidentally, we're being a bunch of lazy bums, compared to the rest of
  y'all.  We're considering single sign-on to mean they only need to keep
  track of one userid and password (unless they need to access classified
  or otherwise restricted stuff.)  If they go to different sites and have
  to log on again, we don't currently care.  (Basically, we have too many
  sites created by too many groups.  We'll share the same login between
  servers run by the same group, but beyond that, security concerns
  outweigh user convinience.)
   Aaron Johnson wrote:
   We are working on/with a similar system right now.
   We have an application that is written in Perl, but the people
   visiting will most likely be signing on at a different point then our
   applications sign in page. Our system was built to use its own
   internal database for authentication and their app/login uses a
   different method.  The design requirements were that each side would
   have to do as little possible to modify there application to work in
   our single sign on solution.
   We have the luxury of not being overly concerned with the security
   aspect so please keep that in mind.
   We setup a nightly sync program that verifies the data in the current
   database vs. their login user information database.
   Here is a less then detailed summary of how the system operates.
   1) The user logs into the application through their application and
   they are sent a cookie that contains the user name.
   2) All links to our application are sent to a single page on their
   end with the full url of the page they want as part of the query
   3) They verify that the user is valid using whatever method they
   4) The user is then redirected to a special page in our application
   that expects the query string to contain two items, the user name and
   the final URL to go to.
   5) Our application verifies the HTTP_REFFERER and the query string
   contains valid values.
   6) Our application checks the database for a user matching the name
   sent in. Then if the user already has a session if they do then they
   are redirected to the correct page, otherwise it does a lookup in our
   system to create a session for the user based on the incoming user
   name and then redirects to the final URL.
   Now a user can go between the two applications without concern since
   they have a cookie for each domain.
   If the user comes to our site the reverse of the above occurs.
   This allowed us to plug into existing applications without a lot of
   rework. It is also fairly language/platform independent.
   As stated above I know there are some large security issues with this

Re: Single login/sign-on for different web apps?

2002-01-20 Thread Ed Grimm

On Wed, 16 Jan 2002, Medi Montaseri wrote:

 I think Netegrity single sing-on system modifies the HTTP server
 (possible with mod_perl) to overload or override its native
 authoentication and instead contact a Host, Database or LDAP to get
 the yes or no along with expiration data it then sends its finding
 to the CGI by sending additonal HTTP Header info. A CGI program can
 then go from there...

Something like this.  Basically, it has modules, plugins, or access
instructions, as appropriate, for various web servers, to configure them
to use it.  I know it gives an LDAP interface, and I'm assuming it gives
an LDAPS interface; I'm not sure what others it may present.

 I might not have this 100%, but perhaps we can learn from those
 commercial products.

 Someone suggested using LDAP and RDBMS, my question is why both, why
 not just RDBMS.

Why not just LDAP?  As someone working on rolling out a single sign-on
solution with LDAPS, I really want to know...  (We're planning on
getting Netegrity for its distributed administration stuff; at that
time, we'll start using its web server configuration stuff for any new
web servers.  Until that time, we're rolling out LDAPS, and we're not
currently planning on converting systems we roll out in the interm to

Incidentally, we're being a bunch of lazy bums, compared to the rest of
y'all.  We're considering single sign-on to mean they only need to keep
track of one userid and password (unless they need to access classified
or otherwise restricted stuff.)  If they go to different sites and have
to log on again, we don't currently care.  (Basically, we have too many
sites created by too many groups.  We'll share the same login between
servers run by the same group, but beyond that, security concerns
outweigh user convinience.)


 Aaron Johnson wrote:
 We are working on/with a similar system right now.

 We have an application that is written in Perl, but the people
 visiting will most likely be signing on at a different point then our
 applications sign in page. Our system was built to use its own
 internal database for authentication and their app/login uses a
 different method.  The design requirements were that each side would
 have to do as little possible to modify there application to work in
 our single sign on solution.

 We have the luxury of not being overly concerned with the security
 aspect so please keep that in mind.

 We setup a nightly sync program that verifies the data in the current
 database vs. their login user information database.

 Here is a less then detailed summary of how the system operates.

 1) The user logs into the application through their application and
 they are sent a cookie that contains the user name.

 2) All links to our application are sent to a single page on their
 end with the full url of the page they want as part of the query

 3) They verify that the user is valid using whatever method they

 4) The user is then redirected to a special page in our application
 that expects the query string to contain two items, the user name and
 the final URL to go to.

 5) Our application verifies the HTTP_REFFERER and the query string
 contains valid values.

 6) Our application checks the database for a user matching the name
 sent in. Then if the user already has a session if they do then they
 are redirected to the correct page, otherwise it does a lookup in our
 system to create a session for the user based on the incoming user
 name and then redirects to the final URL.

 Now a user can go between the two applications without concern since
 they have a cookie for each domain.

 If the user comes to our site the reverse of the above occurs.

 This allowed us to plug into existing applications without a lot of
 rework. It is also fairly language/platform independent.

 As stated above I know there are some large security issues with this

 Aaron Johnson

 Vsevolod Ilyushchenko wrote:


 Have you ever ran into the problem of putting up many separate web
 apps on several machines in your company/university/whatever that
 are written from scratch or downloaded frow the Web and each of
 which has its own user database? What would you think is a good way
 to make the system seem more cohesive for the users?

 It occurs to me that 1) for the single login they all should use the
 same user database (obviously :), and 2) for the single sign-on
 there must be a way of storing the session information. That is,
 once I login in the morning to the first app, I get a cookie, a
 ticket or something similar, and then, as I go from app to app, I
 will not have to re-enter my credentials because they are supplied
 by a cookie. Apache::Session sounds like the right tool for the job.
 (Did I hear Kerberos? :)

 Has anyone had experince with this kind of app integration? The
 downside I see is that once I settle on a particular scheme to do
 it, I will have to build this scheme into every app that 

Re: Single login/sign-on for different web apps?

2002-01-20 Thread Ed Grimm

On Thu, 17 Jan 2002, Gunther Birznieks wrote:

 Of course, the best authentication system for banking I've seen is
 from UBS.  They send you a scratchlist of around 100 numbers.  Every
 time you login you use one of the numbers and cross it off.  Very
 Does that really work in practice? That sounds really annoying. Is this for 
 business banking or for retail? How do they get the next 100 numbers to the 
 user? Do they mail it out when they've used 90?
 It sounds like it would be less annoying to use certificates and some 
 plug-in token there is going to be that much extra work to deal with a 
 password sheet.

Alternately, for a high-tech approach, RSA makes a nice product called a
SecurID token (Well, one of mine says Security Dynamics on the back, but
the new ones definitely say RSA).  Actually, they make two, one nice,
one not nice.  The nice one has a keypad where you enter in a pin, press
a button, and it generates a temporary id based on its serial number,
your pin, and the current time interval; the time interval changes every
minute or two.  The not nice one has no keypad; it works like the other
would if you didn't enter a pin.

I know of several companies that use these; they tend to work fairly
well.  (I had one break on me, but I gave it a lot of abuse first; it
lasted almost half of its battery span in spite of not being taken care


Re: Single login/sign-on for different web apps?

2002-01-17 Thread Mark Fowler

On Wed, 16 Jan 2002, Mark Maunder wrote:

 The only way I could come up with, was to have the browser redirected
 to every domain name with an encrypted uri variable to prove it is
 signed on which causes each host included in the single sign on to
 assign an auth cookie to the browser.

Instead of redirecting the entire page you could just include images
(the typical 1x1 pixel) from each server on the You've been logged on 
page and have each of them set a cookie for that domain name.

For this to work with modern browsers (i.e. IE6 and properly configured
mozillas) you'll need to include a compact policy in your P3P header[1],
otherwise the browser will consider this an unauthorised attempt to serve
a third party image and block the cookie.



[1] See, for more information

s''  Mark Fowler  [EMAIL PROTECTED]
';use Term'Cap;$t=Tgetent Term'Cap{};print$t-Tputs(cl);for$w(split/  +/
){for(0..30){$|=print$t-Tgoto(cm,$_,$y). $w;select$k,$k,$k,.03}$y+=2}

Re[2]: Single login/sign-on for different web apps?

2002-01-17 Thread C.Hauser - IT assistance GmbH

Of course, the best authentication system for banking I've seen is
from UBS.  They send you a scratchlist of around 100 numbers.  Every
time you login you use one of the numbers and cross it off.  Very
 Does that really work in practice? That sounds really annoying. Is this for 
 business banking or for retail? How do they get the next 100 numbers to the 
 user? Do they mail it out when they've used 90?

It works, as I'm a customer of UBS. They do it for everybody, business and
private. They send the the scratchlist by post, even, registered.

When you reach the 80th number, a new list will be automatically sent.

BR Christian

Re: Single login/sign-on for different web apps?

2002-01-17 Thread Dominique Quatravaux

 I hadn't really taken a look at personal certificates until this thread
 came up.  It looks like thawte is offering personal certificates at no

  Yep, and the society I work in develops a GPLed PKI, which is a
Perl+PHP+LDAP app for rolling your own certificates (both user and

  Certificates are indeed a straightforward way of getting SSO - but
you have to carry your certificate with you whenever you change
workstations. Here are reasonable solutions (trading security for
  * most secure: use USB crypto tokens (slow and extra per-user price,
but will safeguard the private key and destroy it upon attack);
  * very secure: use dedicated workstations, one per user
   (impractical), or laptops (expensive but may be amortized with
   other needs); 
  * not so secure (equivalent of password SSO): carry the key on a
floppy, and keep it password-encrypted at all times.

  On the server side, you have to get your Apache to grok certificates
(easy with recent versions of openssl), and the authentication info
then gets passed down to PHP and Perl scripts as environment variables
(OK, this guy is called CN=John Doe, OU=sales, O=yourcompany - trust
me on this). You have to patch your apps, sure, but all the burden of
binding a bunch of crypto bits to a name is removed from you in a
highly secure fashion.

 Tout n'y est pas parfait, mais on y honore certainement les jardiniers 

Dominique Quatravaux [EMAIL PROTECTED]

Re: Single login/sign-on for different web apps?

2002-01-17 Thread Robert Landrum

At 9:06 PM + 1/16/02, Mark Maunder wrote:
That's cool, but any ideas on how to do this with different domain names i.e.,, and You can't create cookies for the .com
domain, so there's no way to hand out auth cookies from (when the user
logs into and have the browser send them to too. Also
can't hand out cookies for, so you can't implement a single sign on
using cookies for multiple domain names from the same host.

The only way I could come up with, was to have the browser redirected to every
domain name with an encrypted uri variable to prove it is signed on 
which causes
each host included in the single sign on to assign an auth cookie to the

So the browser is logged into, and by logging
into which assigns a cookie and  redirects to which assigns a
cookie and redirects it to which assigns a cookie and redirects it to which assigns a cookie and redirects it back to It has now
collected all cookies required for signon to all domain names and is 
logged into
all of them.

That's not terribly efficient for the user.  If I were to do this, 
I'd probably put some You are now logged in page that loads images 
from,,, and (transparent single pixel 
gifs would work).

Now the user is logged in to all those servers (provided that the 
gifs returned were returned with Set-Cookie headers).

The same thing can be done with authentication.  Most browsers allow 
you to write urls as
http://user:[EMAIL PROTECTED]/images/spacer.gif

It's not pretty, and not super secure, but it does work.


When I used a Mac, they laughed because I had no command prompt. When 
I used Linux, they laughed because I had no GUI.  

Re: Single login/sign-on for different web apps?

2002-01-16 Thread Steve Piner

Vsevolod Ilyushchenko wrote:

 Yes, but I still should be able to propely handle people who go to any of
 the protected sites first thing in the morning. I don't think I can get
 away with only exit-point authentication that you propose. If the
 entrance-point authentication works well, there should be no need for this
 additional level. (Please correct me if I am wrong. :)

Do cookies get set if returned via an image?

If so, once the user has logged in, you could return a page with
invisible images on it, where each image is from each site that the user
needs to be authenticated to.

Each image is unimportant. The important bit is that an authentication
cookie is set for each domain the image is returned from.

This leaves one tricky point as far as I can see: you need to securely
identify which image request comes from each user. The obvious/easy way
would be to put some sort of unique identifier in the path or query
string, but this may not be secure enough for your purposes.

Oh yeah, it'd break if they didn't have images on. :-(


Steve Piner
Web Applications Developer
Marketview Limited

Re: Single login/sign-on for different web apps?

2002-01-16 Thread Vsevolod Ilyushchenko

  3) Perl-based applications can just use the module and the common key
 to decrypt the contents of the cookie to find the authenticated
 username.  If the cookie is not present redirect to the central
 authentication page, passing in the URL to return to after

Hmmm... Can I do it securely without using Kerberos? I think so. Looks like
if I use https instead of http, people won't be able to steal my (encoded)
session information as it is transmitted. And I can also add the IP address
to the cookie information.

But the cookies file might be readable by other people! If they can steal
that file and change the IP address of another machine to yours, they can
pretend they are you!
I wonder if there is a way out of this...


Simon (Vsevolod ILyushchenko)   [EMAIL PROTECTED]  [EMAIL PROTECTED] 

A man who feels himself a citizen of the world whose 
loyalty is to the human race and to life, rather than 
to any exclusive part of it; a man who loves his country 
because he loves mankind, and whose judgement is not 
warped by tribal loyalties. Erich Fromm

Re: Single login/sign-on for different web apps?

2002-01-16 Thread Paul Lindner

On Wed, Jan 16, 2002 at 06:56:37PM -0500, Vsevolod Ilyushchenko wrote:
   3) Perl-based applications can just use the module and the common key
  to decrypt the contents of the cookie to find the authenticated
  username.  If the cookie is not present redirect to the central
  authentication page, passing in the URL to return to after
 Hmmm... Can I do it securely without using Kerberos? I think so. Looks like
 if I use https instead of http, people won't be able to steal my (encoded)
 session information as it is transmitted. And I can also add the IP address
 to the cookie information.
 But the cookies file might be readable by other people! If they can steal
 that file and change the IP address of another machine to yours, they can
 pretend they are you!
 I wonder if there is a way out of this...

Yes, you use the timestamp.  Just reauthenticate the user when they
try to do 'sensitive' activities.

For example you might allow someone to view their bank balance if they
typed their password within the last 2 hours.  Transferring money
might require a valid password within the last 10 minutes..

Of course, the best authentication system for banking I've seen is
from UBS.  They send you a scratchlist of around 100 numbers.  Every
time you login you use one of the numbers and cross it off.  Very

Paul Lindner[EMAIL PROTECTED]   | | | | |  |  |  |   |   |

mod_perl Developer's Cookbook
 Human Rights Declaration

Re: Single login/sign-on for different web apps?

2002-01-16 Thread Mark Maunder

Daniel Little wrote:

  From: Mark Maunder [mailto:[EMAIL PROTECTED]]
   Here's one idea that worked for me in one application:
1) assume that all hosts share the same domain suffix:
2) Define a common authentication cookie that is sent to *
   This cookie could might contain the following information:
  username, timestamp
  The only way I could come up with, was to have the browser
  redirected to every domain name with an encrypted uri variable
  to prove it is signed on which causes each host included in
  the single sign on to assign an auth cookie to the browser.
  So the browser is logged into, and by logging into which assigns a cookie and
  redirects to which assigns a cookie and redirects
  it to which assigns a cookie and redirects it to which assigns a cookie and redirects it back to It has now collected all cookies required for
  signon to all domain names and is logged into all of them.

 An alternative to this scheme - and depending on how much control you have
 over the applications / servers at each end - is to do this in a delayed
 fashion. The only time you really need to get authenticated at each server
 is when the browser is sent off to the new site. Instead of redirecting the
 browser to the new site directly, it sends it to a script on the server that
 they are currently connected to (and therefore already authenticated with)
 which requests a 'transition' token of some kind from the authentication
 server. The transition token then is used to transfer them to the requested
 server, which based on the token, does a lookup on the authentication server
 to find out if its a valid transition token, and if so, generates a new
 cookie for them (if necessary) and logs them into the site.

This assumes they dont just type in the url of the other site they want to visit
manually. It limits the user to visiting sites via links on sites they are
currently logged on to.

Re: Single login/sign-on for different web apps?

2002-01-16 Thread Medi Montaseri

I think Netegrity single sing-on system modifies the HTTP server (possible
with mod_perl)
to overload or override its native authoentication and instead contact
a Host, Database or
LDAP to get the yes or no along with expiration data it then sends
its finding to the CGI
by sending additonal HTTP Header info. A CGI program can then go from
I might not have this 100%, but perhaps we can learn from those commercial
Someone suggested using LDAP and RDBMS, my question is why both, why
not just
Aaron Johnson wrote:
We are working on/with a similar system right now.
We have an application that is written in Perl, but the people visiting
will most likely be signing on at a different point then our
applications sign in page. Our system was built to use its own internal
database for authentication and their app/login uses a different
method. The design requirements were that each side would have
to do as
little possible to modify there application to work in our single sign
on solution.
We have the luxury of not being overly concerned with the security
aspect so please keep that in mind.
We setup a nightly sync program that verifies the data in the current
database vs. their login user information database.
Here is a less then detailed summary of how the system operates.
1) The user logs into the application through their application and
are sent a cookie that contains the user name.
2) All links to our application are sent to a single page on their end
with the full url of the page they want as part of the query string.
3) They verify that the user is valid using whatever method they want.
4) The user is then redirected to a special page in our application
expects the query string to contain two items, the user name and the
final URL to go to.
5) Our application verifies the HTTP_REFFERER and the query string
contains valid values.
6) Our application checks the database for a user matching the name
in. Then if the user already has a session if they do then they are
redirected to the correct page, otherwise it does a lookup in our system
to create a session for the user based on the incoming user name and
then redirects to the final URL.
Now a user can go between the two applications without concern since
they have a cookie for each domain.
If the user comes to our site the reverse of the above occurs.
This allowed us to plug into existing applications without a lot of
rework. It is also fairly language/platform independent.
As stated above I know there are some large security issues with this
Aaron Johnson
Vsevolod Ilyushchenko wrote:
> Hi,
> Have you ever ran into the problem of putting up many separate web
apps on
> several machines in your company/university/whatever that are written
> scratch or downloaded frow the Web and each of which has its own
> database? What would you think is a good way to make the system seem
> cohesive for the users?
> It occurs to me that 1) for the single login they all should use
the same
> user database (obviously :), and 2) for the single sign-on there
must be a
> way of storing the session information. That is, once I login in
> morning to the first app, I get a cookie, a ticket or something similar,
> and then, as I go from app to app, I will not have to re-enter my
> credentials because they are supplied by a cookie. Apache::Session
> like the right tool for the job. (Did I hear "Kerberos"? :)
> Has anyone had experince with this kind of app integration? The downside
> see is that once I settle on a particular scheme to do it, I will
have to
> build this scheme into every app that was not written internally.
> that's the life in the before-standards age, I guess...
> Thanks,
> Simon
> --
> Simon (Vsevolod ILyushchenko) [EMAIL PROTECTED]
> "A man who feels himself a citizen of the world whose
> loyalty is to the human race and to life, rather than
> to any exclusive part of it; a man who loves his country
> because he loves mankind, and whose judgement is not
> warped by tribal loyalties." Erich Fromm

Medi Montaseri [EMAIL PROTECTED]
Unix Distributed Systems Engineer HTTP://
CyberShell Engineering

Re: Single login/sign-on for different web apps?

2002-01-16 Thread Medi Montaseri

I wonder if one could change the HTTP Server's behavior to process a
distributed version of "AuthUserFile" and "AuthGroupFile".
That instead of
AuthUserFile "/some/secure/directory/.htpasswd
One would say
AuthUserFile ""
Then write a GUI (web) inteface to this password and group file and
you have distributed authentication system.
Ed Grimm wrote:
On Wed, 16 Jan 2002, Medi Montaseri wrote:
> I think Netegrity single sing-on system modifies the HTTP server
> (possible with mod_perl) to overload or override its native
> authoentication and instead contact a Host, Database or LDAP to get
> the yes or no along with expiration data it then sends its finding
> to the CGI by sending additonal HTTP Header info. A CGI program can
> then go from there...
Something like this. Basically, it has modules, plugins, or access
instructions, as appropriate, for various web servers, to configure
to use it. I know it gives an LDAP interface, and I'm assuming
it gives
an LDAPS interface; I'm not sure what others it may present.
> I might not have this 100%, but perhaps we can learn from those
> commercial products.
> Someone suggested using LDAP and RDBMS, my question is why both,
> not just RDBMS.
Why not just LDAP? As someone working on rolling out a single
solution with LDAPS, I really want to know... (We're planning
getting Netegrity for its distributed administration stuff; at that
time, we'll start using its web server configuration stuff for any
web servers. Until that time, we're rolling out LDAPS, and we're
currently planning on converting systems we roll out in the interm
Incidentally, we're being a bunch of lazy bums, compared to the rest
y'all. We're considering single sign-on to mean they only need
to keep
track of one userid and password (unless they need to access classified
or otherwise restricted stuff.) If they go to different sites
and have
to log on again, we don't currently care. (Basically, we have
too many
sites created by too many groups. We'll share the same login
servers run by the same group, but beyond that, security concerns
outweigh user convinience.)
> Aaron Johnson wrote:
>> We are working on/with a similar system right now.
>> We have an application that is written in Perl, but the people
>> visiting will most likely be signing on at a different point then
>> applications sign in page. Our system was built to use its own
>> internal database for authentication and their app/login uses a
>> different method. The design requirements were that each side
>> have to do as little possible to modify there application to work
>> our single sign on solution.
>> We have the luxury of not being overly concerned with the security
>> aspect so please keep that in mind.
>> We setup a nightly sync program that verifies the data in the current
>> database vs. their login user information database.
>> Here is a less then detailed summary of how the system operates.
>> 1) The user logs into the application through their application
>> they are sent a cookie that contains the user name.
>> 2) All links to our application are sent to a single page on their
>> end with the full url of the page they want as part of the query
>> string.
>> 3) They verify that the user is valid using whatever method they
>> want.
>> 4) The user is then redirected to a special page in our application
>> that expects the query string to contain two items, the user name
>> the final URL to go to.
>> 5) Our application verifies the HTTP_REFFERER and the query string
>> contains valid values.
>> 6) Our application checks the database for a user matching the name
>> sent in. Then if the user already has a session if they do then
>> are redirected to the correct page, otherwise it does a lookup in
>> system to create a session for the user based on the incoming user
>> name and then redirects to the final URL.
>> Now a user can go between the two applications without concern since
>> they have a cookie for each domain.
>> If the user comes to our site the reverse of the above occurs.
>> This allowed us to plug into existing applications without a lot
>> rework. It is also fairly language/platform independent.
>> As stated above I know there are some large security issues with
>> approach.
>> Aaron Johnson
>> Vsevolod Ilyushchenko wrote:
>>> Hi,
>>> Have you ever ran into the problem of putting up many separate
>>> apps on several machines in your company/university/whatever that
>>> are written from scratch or downloaded frow the Web and each of
>>> which has its own user database? What would you think is a good
>>> to make the system seem more cohesive for the users?
>>> It occurs to me that 1) for the single login they all should use
>>> same user database (obviously :), and 2) for the single sign-on
>>> there must be a way of 

Re: Single login/sign-on for different web apps?

2002-01-16 Thread Gunther Birznieks

Of course, the best authentication system for banking I've seen is
from UBS.  They send you a scratchlist of around 100 numbers.  Every
time you login you use one of the numbers and cross it off.  Very

Does that really work in practice? That sounds really annoying. Is this for 
business banking or for retail? How do they get the next 100 numbers to the 
user? Do they mail it out when they've used 90?

It sounds like it would be less annoying to use certificates and some 
plug-in token there is going to be that much extra work to deal with a 
password sheet.

Re: Single login/sign-on for different web apps?

2002-01-16 Thread Aaron Johnson

I hadn't really taken a look at personal certificates until this thread
came up.  It looks like thawte is offering personal certificates at no

This would make it a more likely method since lots of site
traffic wouldn't want to pay and people tyring out the service wouldn't
be forced to pay just to login.

When you say plug-in token are you talking about a browser plug-in?

Aaron Johnson

More Resources for PKI, CA, etc.

Gunther Birznieks wrote:
 Of course, the best authentication system for banking I've seen is
 from UBS.  They send you a scratchlist of around 100 numbers.  Every
 time you login you use one of the numbers and cross it off.  Very
 Does that really work in practice? That sounds really annoying. Is this for
 business banking or for retail? How do they get the next 100 numbers to the
 user? Do they mail it out when they've used 90?
 It sounds like it would be less annoying to use certificates and some
 plug-in token there is going to be that much extra work to deal with a
 password sheet.

Re: Single login/sign-on for different web apps?

2002-01-16 Thread Andrew Ho


PLOf course, the best authentication system for banking I've seen is
PLfrom UBS. They send you a scratchlist of around 100 numbers. Every
PLtime you login you use one of the numbers and cross it off. Very

GBDoes that really work in practice? That sounds really annoying. Is this
GBfor business banking or for retail? How do they get the next 100 numbers
GBto the user? Do they mail it out when they've used 90?

The ACE SecurID system (I think they're owned by RSA now) refines this
process well. You have a hardy little credit-card sized (or key fob sized,
and I'm sure they have other form factors) object. It has a little LCD
screen and every 30 seconds the 4- to 6-digit number on it changes. When
you log into the server, you give it your ID, a password, AND the number
currently on your SecurID card or key fob.

The key fob is nice. It's hardy and lasts a long time. I have one from
Motorola from my stint there many years ago. You could probably toss it on
the sidewalk from my third-story balcony and it'd be okay, plus it's
small and easy to read.

This is inferior to a true zero-knowledge challenge-response system which
would require a little calculator, but it's far more secure than a
password and far easier to use than paper and pencil.

Here's the RSA SecurID URL:

Here's a picture of some of the hardware tokens:

I guess they DO have a challenge-response calculator. Neat.



Engineer   [EMAIL PROTECTED]  Voice 650-930-9062
Tellme Networks, Inc.   1-800-555-TELLFax 650-930-9101