Hi,
From ' Firefox's Live HTTP Headers add-on ', I don't see anything more than
I already know.
'/BlueGateway/Cosign.aspx' is our only protected page.
Following is from the add-on:
----------------------------------------------------------
https://192.168.0.116/cosign-bin/cosign.cgi
POST /cosign-bin/cosign.cgi HTTP/1.1
Host: 192.168.0.116
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.5)
Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
https://192.168.0.116/cosign-bin/cosign.cgi?factors=test&cosign-cosign&http://lynx/BlueGateway/Cosign.aspx?ds=Teacher&rp=http%3a%2f%2flynx%3a80%2fBlueGateway%2fLogin.aspx&=BP7dwkc9v%2fI%3d
Cookie: exposedFactors=,friend;
cosign=oJHnLO0jIjxTpyYSJBibq5HIzf0DaInCAqX6xmR8h7exze3Ds5ll03-cZwauf1EAJg+TfuCHjlAKPdoXKQdJarMxaVH7eMa8nXGNHQqCIXkDbX6ZwIVad9bbruTf/1257975400
Content-Type: application/x-www-form-urlencoded
Content-Length: 245
required=test&ref=http%3A%2F%2Flynx%2FBlueGateway%2FCosign.aspx%3Fds%3DTeacher%26rp%3Dhttp%253a%252f%252flynx%253a80%252fBlueGateway%252fLogin.aspx%26%3DBP7dwkc9v%252fI%253d&service=cosign-cosign&login=t001&password=blue&passcode=&doLogin=Log+In
HTTP/1.x 302 Found
Date: Wed, 11 Nov 2009 21:36:45 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7l
Set-Cookie:
cosign=oJHnLO0jIjxTpyYSJBibq5HIzf0DaInCAqX6xmR8h7exze3Ds5ll03-cZwauf1EAJg+TfuCHjlAKPdoXKQdJarMxaVH7eMa8nXGNHQqCIXkDbX6ZwIVad9bbruTf/1257975400/1;
path=/; secure
Location:
http://192.168.0.22/cosign/valid?cosign-cosign=f6QbcsO6pyNze2t4LrPi1KlG7rCv2j8dLJd6UJzsok4naCYMKqYlcjrrm52m6WqMK7CDqpsh44D5hDBtQGcpKS7y80nZrX7dPGKhkD4SVB--o+exwhqSo6i3T2gN&http://lynx/BlueGateway/Cosign.aspx?ds=Teacher&rp=http%3a%2f%2flynx%3a80%2fBlueGateway%2fLogin.aspx&=BP7dwkc9v%2fI%3d
Content-Length: 593
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
http://192.168.0.22/cosign/valid?cosign-cosign=f6QbcsO6pyNze2t4LrPi1KlG7rCv2j8dLJd6UJzsok4naCYMKqYlcjrrm52m6WqMK7CDqpsh44D5hDBtQGcpKS7y80nZrX7dPGKhkD4SVB--o+exwhqSo6i3T2gN&http://lynx/BlueGateway/Cosign.aspx?ds=Teacher&rp=http%3a%2f%2flynx%3a80%2fBlueGateway%2fLogin.aspx&=BP7dwkc9v%2fI%3d
GET
/cosign/valid?cosign-cosign=f6QbcsO6pyNze2t4LrPi1KlG7rCv2j8dLJd6UJzsok4naCYMKqYlcjrrm52m6WqMK7CDqpsh44D5hDBtQGcpKS7y80nZrX7dPGKhkD4SVB--o+exwhqSo6i3T2gN&http://lynx/BlueGateway/Cosign.aspx?ds=Teacher&rp=http%3a%2f%2flynx%3a80%2fBlueGateway%2fLogin.aspx&=BP7dwkc9v%2fI%3d
HTTP/1.1
Host: 192.168.0.22
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.5)
Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
HTTP/1.x 302 Redirect.
Date: Wed, 11 Nov 2009 21:33:21 GMT
Server: Microsoft-IIS/6.0
Set-Cookie:
cosign-cosign=f6QbcsO6pyNze2t4LrPi1KlG7rCv2j8dLJd6UJzsok4naCYMKqYlcjrrm52m6WqMK7CDqpsh44D5hDBtQGcpKS7y80nZrX7dPGKhkD4SVB--o+exwhqSo6i3T2gN;path=/
Location:
http://lynx/BlueGateway/Cosign.aspx?ds=Teacher&rp=http%3a%2f%2flynx%3a80%2fBlueGateway%2fLogin.aspx&=BP7dwkc9v%2fI%3d
----------------------------------------------------------
http://lynx/BlueGateway/Cosign.aspx?ds=Teacher&rp=http%3a%2f%2flynx%3a80%2fBlueGateway%2fLogin.aspx&=BP7dwkc9v%2fI%3d
GET
/BlueGateway/Cosign.aspx?ds=Teacher&rp=http%3a%2f%2flynx%3a80%2fBlueGateway%2fLogin.aspx&=BP7dwkc9v%2fI%3d
HTTP/1.1
Host: lynx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.5)
Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie:
retPath=http://localhost:80/BlueEvaluation/Login/Login.aspx?ReturnUrl=%2fblueevaluation%2fDefault.aspx;
CoSignDataSource=Data1; LoginId=e79a4e56-3a2d-4258-8aa8-66b6956481fe
HTTP/1.x 302 Redirect.
Date: Wed, 11 Nov 2009 21:33:21 GMT
Server: Microsoft-IIS/6.0
Location:
https://192.168.0.116/?factors=test&cosign-cosign&http://lynx/BlueGateway/Cosign.aspx?ds=Teacher&rp=http%3a%2f%2flynx%3a80%2fBlueGateway%2fLogin.aspx&=BP7dwkc9v%2fI%3d
----------------------------------------------------------
If you can find anything wrong, please let me know.
Wenzhuo zhang
From: andrew...@hotmail.com
To: admor...@umich.edu; ja...@umich.edu
Date: Wed, 11 Nov 2009 16:32:07 -0500
CC: cosign-discuss@lists.sourceforge.net
Subject: Re: [Cosign-discuss] IIS 6 Cosign filter
Hi all,
I have successfully installed central weblogin server (version 2) on
MacOS (10.4) as our test server last year.
It was working fine for testing purpose.
But the mac server got formatted, so I have to install the new cosign
(version 3).
1) Because our protected site uses http connection, so I have set the
<cookies> <secure> to false, which worked in version 2.
2) The /valid/cosign is not protected. Form event viewer, I saw that the
filter (validation handler) has successfully validated the service cookies and
destination URL after it intercepts /cosign/valid URL. Then it sets
the service cookies and redirects to the destination URL.
That's where the problem happens, it seems that the filter can't find
the cookies set by itself, then redirect to weblogin server again, then it goes
in a loop
till the browser shows a ' cannot display the webpage ' message.
3) The ports and certificates are fine, because I saw communications
between filter and weblogin server in debug mode.
The messages look like followings:
----------------------------------------------------------------------------------------------------------------------------------------------------------------
debug: STARTTLS 2
debug: CHECK
cosign=vRC+EO3aLemIrafLS1yjquvhmzEEgpruTGd7UiZSbmsb1sTF8GedF4M3WQFAslJMvvCaVqKAMt7kMo42ULQJnVNWsC3RtO0WZfsLS44momS-hxV9JDKCmszNldW1
debug: LOGIN
cosign=vRC+EO3aLemIrafLS1yjquvhmzEEgpruTGd7UiZSbmsb1sTF8GedF4M3WQFAslJMvvCaVqKAMt7kMo42ULQJnVNWsC3RtO0WZfsLS44momS-hxV9JDKCmszNldW1
192.168.0.22 t001 test
debug: CHECK
cosign=vRC+EO3aLemIrafLS1yjquvhmzEEgpruTGd7UiZSbmsb1sTF8GedF4M3WQFAslJMvvCaVqKAMt7kMo42ULQJnVNWsC3RtO0WZfsLS44momS-hxV9JDKCmszNldW1
debug:REGISTER
cosign=vRC+EO3aLemIrafLS1yjquvhmzEEgpruTGd7UiZSbmsb1sTF8GedF4M3WQFAslJMvvCaVqKAMt7kMo42ULQJnVNWsC3RtO0WZfsLS44momS-hxV9JDKCmszNldW1
192.168.0.22
cosign-cosign=Ts1UfKJHuNPsLOlMM+9WrK46w1rXbzq9cI0bQ2dQG63YGtkRBBIyz8jKUBdNSmq3zszYQS1lUwp9d9UHZ8tipBLYNRiG7fChrBeHZWGtLlZmjRHBZFVN2AxRI3rI
debug: STARTTLS 2
debug: CHECK
cosign-cosign=Ts1UfKJHuNPsLOlMM+9WrK46w1rXbzq9cI0bQ2dQG63YGtkRBBIyz8jKUBdNSmq3zszYQS1lUwp9d9UHZ8tipBLYNRiG7fChrBeHZWGtLlZmjRHBZFVN2AxRI3rI
debug: STARTTLS 2
debug: CHECK
cosign=vRC+EO3aLemIrafLS1yjquvhmzEEgpruTGd7UiZSbmsb1sTF8GedF4M3WQFAslJMvvCaVqKAMt7kMo42ULQJnVNWsC3RtO0WZfsLS44momS-hxV9JDKCmszNldW1
debug: REGISTER
cosign=vRC+EO3aLemIrafLS1yjquvhmzEEgpruTGd7UiZSbmsb1sTF8GedF4M3WQFAslJMvvCaVqKAMt7kMo42ULQJnVNWsC3RtO0WZfsLS44momS-hxV9JDKCmszNldW1
192.168.0.22
cosign-cosign=I6MAuFa5SjM7qgdYzpV-thy0SH6iPj-SWJxxmn+++ZUleLs7h94NNkCXYPlssRs0WqE1ppkbGu6zsGAJ20ES5ftK2dOOv02Eo4vFkRfkm6jdFlRPUYEToWgWc24p
debug: CHECK
cosign-cosign=I6MAuFa5SjM7qgdYzpV-thy0SH6iPj-SWJxxmn+++ZUleLs7h94NNkCXYPlssRs0WqE1ppkbGu6zsGAJ20ES5ftK2dOOv02Eo4vFkRfkm6jdFlRPUYEToWgWc24p------------------------------------------------------------------------------------------------------------------------------
This just part of messages for one time login, there are many CHECKs and
REGISTER are followed.
4)I have checked the /var/log/system.log, there are no cosignd activities
recorded.
I'll try to use 'Firefox's Live HTTP Headers add-on' to see if i could
find more details about the problem.
Thank you for responding.
Wenzhuo Zhang
> From: admor...@umich.edu
> Date: Wed, 11 Nov 2009 15:42:34 -0500
> To: ja...@umich.edu
> CC: cosign-discuss@lists.sourceforge.net
> Subject: Re: [Cosign-discuss] IIS 6 Cosign filter
>
>
> On Nov 11, 2009, at 3:09 PM, Jarod Malestein wrote:
>
> >
> > Common causes of browser looping:
> >
> > By default, the cosign service cookies are marked as secure, and will
> > not be transmitted over http connections. The recommend solution is
> > to redirect http requests for cosign-protected pages to the https
> > equivalent. You can also remove the "secure" flag in the settings,
> > but this is, of course, insecure. In the cosign.dll.config file for
> > the IIS 6 filter look for the <cookies><secure> option and set it to
> > false.
> >
> > Outgoing connections on port 6663 are being blocked and the filter
> > cannot communicate with the weblogin server.
> >
> > There is an expired or untrusted certificate being used on either the
> > cosign-protected web server or on the weblogin server.
>
> And in a cosign 3.0 environment:
>
> Your service certificate does not have access to the service cookie in
> question, and so cannot validate the service cookie, cosignd will log this
> when it occurs.
>
> You have /cosign/valid cosign-protected, so the filter cannot validate and
> set the service cookie. This is easier to detect using, as Mark suggested,
> Firefox's Live HTTP Headers add-on.
>
> cosignd should log to /var/log/system.log on Mac OS X.
>
> andrew
>
> > On Nov 11, 2009, at 3:01 PM, Mark Montague wrote:
> >
> >> On Wed, Nov 11, 2009 2:42 PM, =?gb2312?B?zsTXvyDVxQ==?=
> >> <andrew...@hotmail.com
> >>> wrote:
> >>> The filter redirects to the protected page after validation handler
> >>> is done.
> >>> But it seems that the filter cannot find the cookies somehow, then
> >>> it redirects to weblogin server again, going in a loop.
> >>> At this point I cannot find more about the problem.
> >>
> >> Use Live HTTP Headers or a similar tool to observe the HTTP requests
> >> and responses. Let us know what the sequence of specific URLS are.
> >>
> >>
> >>> Another thing, i cannot find cosignd log on a mac. There is no
> >>> syslog.log on mac os.
> >>> Just wondering where the cosignd could write to.
> >>
> >> The Mac is your central weblogin server, correct? cosignd should
> >> not be run on a normal server that serves cosign-protected web pages.
> >>
> >> I don't know if anyone has successfuly run a central weblogin server
> >> on a Mac. There might be changes that are needed to the source code
> >> to make it work. Out of the box, cosignd will log using the
> >> "daemon" facility. This does not appear to exist on MacOS 10.5;
> >> have you modified the code? syslog messages that are logged without
> >> a facility under MacOS X appear in /var/log/system.log
> >>
> >>
> >> Mark Montague
> >> ITS Web/Database Team
> >> The University of Michigan
> >>
> >> markm...@umich.edu
> >>
> >>
> >>
> >
> >
> > ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> > trial. Simplify your report design, integration and deployment - and focus
> > on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now. http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Cosign-discuss mailing list
> > Cosign-discuss@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/cosign-discuss
> >
> > !DSPAM:4afb1a69170642560778728!
> >
> >
> >
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Cosign-discuss mailing list
> Cosign-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Windows Live: Make it easier for your friends to see what you’re up to on
Facebook.
_________________________________________________________________
Eligible CDN College & University students can upgrade to Windows 7 before Jan
3 for only $39.99. Upgrade now!
http://go.microsoft.com/?linkid=9691819------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
