Re: AuthCookie questions

[Peter Bi <mo...@att.net>]

check here http://modperl.home.att.net
Peter

----- Original Message -----
From: "Christian Gilmore" <cg...@tivoli.com>
To: "'Michael Schout'" <ms...@gkg.net>
Cc: "'Modperl Mailing List (E-mail)'" <mo...@perl.apache.org>
Sent: Tuesday, October 22, 2002 12:13 PM
Subject: RE: AuthCookie questions


> Hi, Michael. Let me try again with more specifics. I'm required to mash my
> service into another organization's authentication scheme, ditching my own
> secure methods for their cross-domain unencrypted, unsigned cookie.
>
>   1. Foreign server, foreign.foo.com, presents a form to a user requesting
>      userid/password. Foreign server accepts credentials and creates
simple
>      session cookie whose domain is foo.com containing a string of
>      unencrypted key/value pairs.
>   2. User comes to my local server, local.foo.com, and sends along his
>      cookie for domain foo.com. I need to parse out one of the key/value
>      pairs and populate an environment variable (aside from REMOTE_USER)
>      with the pair's data. If the user comes without the cookie or without
>      appropriate data in the cookie, I need to redirect him to foreign.
>
> I am also asked to not create any other cookies. All the data I need is in
> the one cookie that comes from foreign. So, my needs boil down to:
>
>   1. Read data from existing cookie.
>   1a. Redirect if cookie is non-existent.
>   2. Accept or reject cookie.
>   2a. If rejected, redirect.
>   2b. If accepted, populate environment and return.
>
> On a side note, if anyone finds the proposed design lacking for security
or
> anything else, please let me know.
>
> Thanks,
> Christian
>
> -----------------
> Christian Gilmore
> Technology Leader
> GeT WW Global Applications Development
> IBM Software Group
>
>
> > -----Original Message-----
> > From: Michael Schout [mailto:mschout@gkg.net]
> > Sent: Tuesday, October 22, 2002 2:00 PM
> > To: Christian Gilmore
> > Cc: Modperl Mailing List (E-mail)
> > Subject: Re: AuthCookie questions
> >
> >
> > Christian Gilmore wrote:
> >
> > >   4. I cannot modify the cookie and should not send
> > additional cookies.
> >
> > [snip]
> >
> > > about 4. Can I use an unmodified AuthCookie to ensure that
> > whatever format
> > > the inbound cookie is in is sufficient and will not need to
> > be modified or
> > > supplemented? I believe the answer is no, and, if it is,
> > should this be
> >
> > What exactly do you mean by this?  What are you trying to accomplish?
> > Do you mean "The user cannot modify the cookie?"  If thats what you
> > mean, then yes, there are ways to do that.  Basically you have to
> > cryptographically sign the cookie using a secret that is
> > unknown to the
> > end user.  There is an example of this in the Eagle book, and
> > Apache::AuthTicket uses a scheme similar to this.  Because you cant
> > control what the cookie server sends, you'd probably have to do some
> > sort of double redirect For example:
> >
> > o user is redirected to auth server
> > o auth server returns cookie and redirects to /SIGNHANDLER
> > o signhandler gets the cookie, cryptographically signs it, and
> >    returns the cookie to the client and redirects to real location
> > o user is redirected to real location.
> >
> > If thats not what you mean, please elaborate.
> >
> > Regards,
> > Mike
> >
>