You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Christian Gilmore <cg...@tivoli.com> on 2002/10/22 19:13:50 UTC
AuthCookie questions
I'm considering use of Apache::AuthCookie in my environment. Here's the
problem I need to solve. I'm not certain if AuthCookie will, without
modification, support my needs.
1. Authentication cookies are doled out from a centralized server that is
out of my control and cannot be modified to suit my local needs (if
any).
2. If the cookie is not present when a user hits my site, I redirect to
the
centralized server and leave breadcrumbs in the redirect for the cookie
server to redirect back to me after giving out the cookie.
3. I need to parse the cookie to determine validity and populate certain
environmental variables.
4. I cannot modify the cookie and should not send additional cookies.
I know that AuthCookie in combination with a locally-written subclass to
implement the authen_ses_key method will handle needs 1-3. I'm uncertain
about 4. Can I use an unmodified AuthCookie to ensure that whatever format
the inbound cookie is in is sufficient and will not need to be modified or
supplemented? I believe the answer is no, and, if it is, should this be
something that AuthCookie be modified to handle?
Thanks,
Christian
-----------------
Christian Gilmore
Technology Leader
GeT WW Global Applications Development
IBM Software Group
Re: AuthCookie questions
Posted by Michael Schout <ms...@gkg.net>.
Christian Gilmore wrote:
> 1. Read data from existing cookie.
> 1a. Redirect if cookie is non-existent.
> 2. Accept or reject cookie.
> 2a. If rejected, redirect.
> 2b. If accepted, populate environment and return.
Sounds to me like you really dont need AuthCookie at all. You could
just as easily do all of this by writing a PerlAccessHandler that does
the above things.
I'll second Perrin's comments. You definately have security problems
with this. The only way to do this securely is to cryptograpically sign
the cookie and to encrypt the data on the wire using SSL.
Mike
Re: AuthCookie questions
Posted by Perrin Harkins <pe...@elem.com>.
Christian Gilmore wrote:
> Hi, Michael. Let me try again with more specifics. I'm required to mash my
> service into another organization's authentication scheme, ditching my own
> secure methods for their cross-domain unencrypted, unsigned cookie.
[...]
> On a side note, if anyone finds the proposed design lacking for security or
> anything else, please let me know.
It sounds like you are already aware that it lacks security. The
important thing to remember about cookies is that unless you use some
kind of cryptographic signature to verify them you have absolutely no
idea if the cookie came from your site or not. People can very easilly
put whatever they want in a cookie to send to your site usingone of the
thousands of HTTP testing programs and libraries, and if you use that
cookie as a key to a data structure they may be able to gain access to
other people's data.
Even if you use a crypto signature they can still sniff someone else's
legit cookie off the wire, but at least you can prevent them from
tampering with the contents of the cookie.
"Never trust the client."
- Perrin
Re: AuthCookie questions
Posted by Peter Bi <mo...@att.net>.
check here http://modperl.home.att.net
Peter
----- Original Message -----
From: "Christian Gilmore" <cg...@tivoli.com>
To: "'Michael Schout'" <ms...@gkg.net>
Cc: "'Modperl Mailing List (E-mail)'" <mo...@perl.apache.org>
Sent: Tuesday, October 22, 2002 12:13 PM
Subject: RE: AuthCookie questions
> Hi, Michael. Let me try again with more specifics. I'm required to mash my
> service into another organization's authentication scheme, ditching my own
> secure methods for their cross-domain unencrypted, unsigned cookie.
>
> 1. Foreign server, foreign.foo.com, presents a form to a user requesting
> userid/password. Foreign server accepts credentials and creates
simple
> session cookie whose domain is foo.com containing a string of
> unencrypted key/value pairs.
> 2. User comes to my local server, local.foo.com, and sends along his
> cookie for domain foo.com. I need to parse out one of the key/value
> pairs and populate an environment variable (aside from REMOTE_USER)
> with the pair's data. If the user comes without the cookie or without
> appropriate data in the cookie, I need to redirect him to foreign.
>
> I am also asked to not create any other cookies. All the data I need is in
> the one cookie that comes from foreign. So, my needs boil down to:
>
> 1. Read data from existing cookie.
> 1a. Redirect if cookie is non-existent.
> 2. Accept or reject cookie.
> 2a. If rejected, redirect.
> 2b. If accepted, populate environment and return.
>
> On a side note, if anyone finds the proposed design lacking for security
or
> anything else, please let me know.
>
> Thanks,
> Christian
>
> -----------------
> Christian Gilmore
> Technology Leader
> GeT WW Global Applications Development
> IBM Software Group
>
>
> > -----Original Message-----
> > From: Michael Schout [mailto:mschout@gkg.net]
> > Sent: Tuesday, October 22, 2002 2:00 PM
> > To: Christian Gilmore
> > Cc: Modperl Mailing List (E-mail)
> > Subject: Re: AuthCookie questions
> >
> >
> > Christian Gilmore wrote:
> >
> > > 4. I cannot modify the cookie and should not send
> > additional cookies.
> >
> > [snip]
> >
> > > about 4. Can I use an unmodified AuthCookie to ensure that
> > whatever format
> > > the inbound cookie is in is sufficient and will not need to
> > be modified or
> > > supplemented? I believe the answer is no, and, if it is,
> > should this be
> >
> > What exactly do you mean by this? What are you trying to accomplish?
> > Do you mean "The user cannot modify the cookie?" If thats what you
> > mean, then yes, there are ways to do that. Basically you have to
> > cryptographically sign the cookie using a secret that is
> > unknown to the
> > end user. There is an example of this in the Eagle book, and
> > Apache::AuthTicket uses a scheme similar to this. Because you cant
> > control what the cookie server sends, you'd probably have to do some
> > sort of double redirect For example:
> >
> > o user is redirected to auth server
> > o auth server returns cookie and redirects to /SIGNHANDLER
> > o signhandler gets the cookie, cryptographically signs it, and
> > returns the cookie to the client and redirects to real location
> > o user is redirected to real location.
> >
> > If thats not what you mean, please elaborate.
> >
> > Regards,
> > Mike
> >
>
RE: AuthCookie questions
Posted by Christian Gilmore <cg...@tivoli.com>.
Hi, Michael. Let me try again with more specifics. I'm required to mash my
service into another organization's authentication scheme, ditching my own
secure methods for their cross-domain unencrypted, unsigned cookie.
1. Foreign server, foreign.foo.com, presents a form to a user requesting
userid/password. Foreign server accepts credentials and creates simple
session cookie whose domain is foo.com containing a string of
unencrypted key/value pairs.
2. User comes to my local server, local.foo.com, and sends along his
cookie for domain foo.com. I need to parse out one of the key/value
pairs and populate an environment variable (aside from REMOTE_USER)
with the pair's data. If the user comes without the cookie or without
appropriate data in the cookie, I need to redirect him to foreign.
I am also asked to not create any other cookies. All the data I need is in
the one cookie that comes from foreign. So, my needs boil down to:
1. Read data from existing cookie.
1a. Redirect if cookie is non-existent.
2. Accept or reject cookie.
2a. If rejected, redirect.
2b. If accepted, populate environment and return.
On a side note, if anyone finds the proposed design lacking for security or
anything else, please let me know.
Thanks,
Christian
-----------------
Christian Gilmore
Technology Leader
GeT WW Global Applications Development
IBM Software Group
> -----Original Message-----
> From: Michael Schout [mailto:mschout@gkg.net]
> Sent: Tuesday, October 22, 2002 2:00 PM
> To: Christian Gilmore
> Cc: Modperl Mailing List (E-mail)
> Subject: Re: AuthCookie questions
>
>
> Christian Gilmore wrote:
>
> > 4. I cannot modify the cookie and should not send
> additional cookies.
>
> [snip]
>
> > about 4. Can I use an unmodified AuthCookie to ensure that
> whatever format
> > the inbound cookie is in is sufficient and will not need to
> be modified or
> > supplemented? I believe the answer is no, and, if it is,
> should this be
>
> What exactly do you mean by this? What are you trying to accomplish?
> Do you mean "The user cannot modify the cookie?" If thats what you
> mean, then yes, there are ways to do that. Basically you have to
> cryptographically sign the cookie using a secret that is
> unknown to the
> end user. There is an example of this in the Eagle book, and
> Apache::AuthTicket uses a scheme similar to this. Because you cant
> control what the cookie server sends, you'd probably have to do some
> sort of double redirect For example:
>
> o user is redirected to auth server
> o auth server returns cookie and redirects to /SIGNHANDLER
> o signhandler gets the cookie, cryptographically signs it, and
> returns the cookie to the client and redirects to real location
> o user is redirected to real location.
>
> If thats not what you mean, please elaborate.
>
> Regards,
> Mike
>
Re: AuthCookie questions
Posted by Michael Schout <ms...@gkg.net>.
Christian Gilmore wrote:
> 4. I cannot modify the cookie and should not send additional cookies.
[snip]
> about 4. Can I use an unmodified AuthCookie to ensure that whatever format
> the inbound cookie is in is sufficient and will not need to be modified or
> supplemented? I believe the answer is no, and, if it is, should this be
What exactly do you mean by this? What are you trying to accomplish?
Do you mean "The user cannot modify the cookie?" If thats what you
mean, then yes, there are ways to do that. Basically you have to
cryptographically sign the cookie using a secret that is unknown to the
end user. There is an example of this in the Eagle book, and
Apache::AuthTicket uses a scheme similar to this. Because you cant
control what the cookie server sends, you'd probably have to do some
sort of double redirect For example:
o user is redirected to auth server
o auth server returns cookie and redirects to /SIGNHANDLER
o signhandler gets the cookie, cryptographically signs it, and
returns the cookie to the client and redirects to real location
o user is redirected to real location.
If thats not what you mean, please elaborate.
Regards,
Mike