You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Christian Gilmore <cg...@tivoli.com> on 2002/10/22 19:13:50 UTC

AuthCookie questions

I'm considering use of Apache::AuthCookie in my environment. Here's the
problem I need to solve. I'm not certain if AuthCookie will, without
modification, support my needs.

  1. Authentication cookies are doled out from a centralized server that is
     out of my control and cannot be modified to suit my local needs (if
any).

  2. If the cookie is not present when a user hits my site, I redirect to
the
     centralized server and leave breadcrumbs in the redirect for the cookie
     server to redirect back to me after giving out the cookie.

  3. I need to parse the cookie to determine validity and populate certain
     environmental variables.

  4. I cannot modify the cookie and should not send additional cookies.

I know that AuthCookie in combination with a locally-written subclass to
implement the authen_ses_key method will handle needs 1-3. I'm uncertain
about 4. Can I use an unmodified AuthCookie to ensure that whatever format
the inbound cookie is in is sufficient and will not need to be modified or
supplemented? I believe the answer is no, and, if it is, should this be
something that AuthCookie be modified to handle?

Thanks,
Christian

-----------------
Christian Gilmore
Technology Leader
GeT WW Global Applications Development
IBM Software Group

Re: AuthCookie questions

Posted by Michael Schout <ms...@gkg.net>.

Christian Gilmore wrote:
>   1. Read data from existing cookie.
>   1a. Redirect if cookie is non-existent.
>   2. Accept or reject cookie.
>   2a. If rejected, redirect.
>   2b. If accepted, populate environment and return.

Sounds to me like you really dont need AuthCookie at all.  You could 
just as easily do all of this by writing a PerlAccessHandler that does 
the above things.

I'll second Perrin's comments.  You definately have security problems 
with this.  The only way to do this securely is to cryptograpically sign 
the cookie and to encrypt the data on the wire using SSL.

Mike

Re: AuthCookie questions

Posted by Perrin Harkins <pe...@elem.com>.

Christian Gilmore wrote:
> Hi, Michael. Let me try again with more specifics. I'm required to mash my
> service into another organization's authentication scheme, ditching my own
> secure methods for their cross-domain unencrypted, unsigned cookie.
[...]
> On a side note, if anyone finds the proposed design lacking for security or
> anything else, please let me know.

It sounds like you are already aware that it lacks security.  The 
important thing to remember about cookies is that unless you use some 
kind of cryptographic signature to verify them you have absolutely no 
idea if the cookie came from your site or not.  People can very easilly 
put whatever they want in a cookie to send to your site usingone of the 
thousands of HTTP testing programs and libraries, and if you use that 
cookie as a key to a data structure they may be able to gain access to 
other people's data.

Even if you use a crypto signature they can still sniff someone else's 
legit cookie off the wire, but at least you can prevent them from 
tampering with the contents of the cookie.

"Never trust the client."

- Perrin

Re: AuthCookie questions

Posted by Peter Bi <mo...@att.net>.

check here http://modperl.home.att.net
Peter

----- Original Message -----
From: "Christian Gilmore" <cg...@tivoli.com>
To: "'Michael Schout'" <ms...@gkg.net>
Cc: "'Modperl Mailing List (E-mail)'" <mo...@perl.apache.org>
Sent: Tuesday, October 22, 2002 12:13 PM
Subject: RE: AuthCookie questions


> Hi, Michael. Let me try again with more specifics. I'm required to mash my
> service into another organization's authentication scheme, ditching my own
> secure methods for their cross-domain unencrypted, unsigned cookie.
>
>   1. Foreign server, foreign.foo.com, presents a form to a user requesting
>      userid/password. Foreign server accepts credentials and creates
simple
>      session cookie whose domain is foo.com containing a string of
>      unencrypted key/value pairs.
>   2. User comes to my local server, local.foo.com, and sends along his
>      cookie for domain foo.com. I need to parse out one of the key/value
>      pairs and populate an environment variable (aside from REMOTE_USER)
>      with the pair's data. If the user comes without the cookie or without
>      appropriate data in the cookie, I need to redirect him to foreign.
>
> I am also asked to not create any other cookies. All the data I need is in
> the one cookie that comes from foreign. So, my needs boil down to:
>
>   1. Read data from existing cookie.
>   1a. Redirect if cookie is non-existent.
>   2. Accept or reject cookie.
>   2a. If rejected, redirect.
>   2b. If accepted, populate environment and return.
>
> On a side note, if anyone finds the proposed design lacking for security
or
> anything else, please let me know.
>
> Thanks,
> Christian
>
> -----------------
> Christian Gilmore
> Technology Leader
> GeT WW Global Applications Development
> IBM Software Group
>
>
> > -----Original Message-----
> > From: Michael Schout [mailto:mschout@gkg.net]
> > Sent: Tuesday, October 22, 2002 2:00 PM
> > To: Christian Gilmore
> > Cc: Modperl Mailing List (E-mail)
> > Subject: Re: AuthCookie questions
> >
> >
> > Christian Gilmore wrote:
> >
> > >   4. I cannot modify the cookie and should not send
> > additional cookies.
> >
> > [snip]
> >
> > > about 4. Can I use an unmodified AuthCookie to ensure that
> > whatever format
> > > the inbound cookie is in is sufficient and will not need to
> > be modified or
> > > supplemented? I believe the answer is no, and, if it is,
> > should this be
> >
> > What exactly do you mean by this?  What are you trying to accomplish?
> > Do you mean "The user cannot modify the cookie?"  If thats what you
> > mean, then yes, there are ways to do that.  Basically you have to
> > cryptographically sign the cookie using a secret that is
> > unknown to the
> > end user.  There is an example of this in the Eagle book, and
> > Apache::AuthTicket uses a scheme similar to this.  Because you cant
> > control what the cookie server sends, you'd probably have to do some
> > sort of double redirect For example:
> >
> > o user is redirected to auth server
> > o auth server returns cookie and redirects to /SIGNHANDLER
> > o signhandler gets the cookie, cryptographically signs it, and
> >    returns the cookie to the client and redirects to real location
> > o user is redirected to real location.
> >
> > If thats not what you mean, please elaborate.
> >
> > Regards,
> > Mike
> >
>

RE: AuthCookie questions

Posted by Christian Gilmore <cg...@tivoli.com>.

Hi, Michael. Let me try again with more specifics. I'm required to mash my
service into another organization's authentication scheme, ditching my own
secure methods for their cross-domain unencrypted, unsigned cookie.

  1. Foreign server, foreign.foo.com, presents a form to a user requesting
     userid/password. Foreign server accepts credentials and creates simple
     session cookie whose domain is foo.com containing a string of
     unencrypted key/value pairs.
  2. User comes to my local server, local.foo.com, and sends along his
     cookie for domain foo.com. I need to parse out one of the key/value
     pairs and populate an environment variable (aside from REMOTE_USER)
     with the pair's data. If the user comes without the cookie or without
     appropriate data in the cookie, I need to redirect him to foreign.

I am also asked to not create any other cookies. All the data I need is in
the one cookie that comes from foreign. So, my needs boil down to:

  1. Read data from existing cookie.
  1a. Redirect if cookie is non-existent.
  2. Accept or reject cookie.
  2a. If rejected, redirect.
  2b. If accepted, populate environment and return.

On a side note, if anyone finds the proposed design lacking for security or
anything else, please let me know.

Thanks,
Christian

-----------------
Christian Gilmore
Technology Leader
GeT WW Global Applications Development
IBM Software Group


> -----Original Message-----
> From: Michael Schout [mailto:mschout@gkg.net]
> Sent: Tuesday, October 22, 2002 2:00 PM
> To: Christian Gilmore
> Cc: Modperl Mailing List (E-mail)
> Subject: Re: AuthCookie questions
>
>
> Christian Gilmore wrote:
>
> >   4. I cannot modify the cookie and should not send
> additional cookies.
>
> [snip]
>
> > about 4. Can I use an unmodified AuthCookie to ensure that
> whatever format
> > the inbound cookie is in is sufficient and will not need to
> be modified or
> > supplemented? I believe the answer is no, and, if it is,
> should this be
>
> What exactly do you mean by this?  What are you trying to accomplish?
> Do you mean "The user cannot modify the cookie?"  If thats what you
> mean, then yes, there are ways to do that.  Basically you have to
> cryptographically sign the cookie using a secret that is
> unknown to the
> end user.  There is an example of this in the Eagle book, and
> Apache::AuthTicket uses a scheme similar to this.  Because you cant
> control what the cookie server sends, you'd probably have to do some
> sort of double redirect For example:
>
> o user is redirected to auth server
> o auth server returns cookie and redirects to /SIGNHANDLER
> o signhandler gets the cookie, cryptographically signs it, and
>    returns the cookie to the client and redirects to real location
> o user is redirected to real location.
>
> If thats not what you mean, please elaborate.
>
> Regards,
> Mike
>

Re: AuthCookie questions

Posted by Michael Schout <ms...@gkg.net>.

Christian Gilmore wrote:

>   4. I cannot modify the cookie and should not send additional cookies.

[snip]

> about 4. Can I use an unmodified AuthCookie to ensure that whatever format
> the inbound cookie is in is sufficient and will not need to be modified or
> supplemented? I believe the answer is no, and, if it is, should this be

What exactly do you mean by this?  What are you trying to accomplish? 
Do you mean "The user cannot modify the cookie?"  If thats what you 
mean, then yes, there are ways to do that.  Basically you have to 
cryptographically sign the cookie using a secret that is unknown to the 
end user.  There is an example of this in the Eagle book, and 
Apache::AuthTicket uses a scheme similar to this.  Because you cant 
control what the cookie server sends, you'd probably have to do some 
sort of double redirect For example:

o user is redirected to auth server
o auth server returns cookie and redirects to /SIGNHANDLER
o signhandler gets the cookie, cryptographically signs it, and
   returns the cookie to the client and redirects to real location
o user is redirected to real location.

If thats not what you mean, please elaborate.

Regards,
Mike