On January 22, 2013 5:19 , Florian Mueller <flo2muel...@gmail.com> wrote:
I'm trying to create an embedded login screen using cosign which turns
out to be not as straight-forward as I expected. ;)
Problem is, I don't want users to be redirected to the login screen
all the time. I want to be able to integrate the login screen in
different pages, like a widget or similar.
How does the user know that the cosign-protected web server running this
web application has not been compromised, and that the embedded widget
is legitimate rather than being a form that was put up by an attacker
who compromised the web app? (We try to train our users here to never
provide their username and password to any web site except for the
central weblogin server.)
When I login directly over login01.example.com
<http://login01.example.com> I get back the following cookies:
login01.example.com
<http://login01.example.com>FALSE/TRUE0cosignhrF9tJpx[...]/1358849389/1
service03.example.com
<http://service03.example.com>FALSE/TRUE0cosign-service03rlh3-Zvmo/1358849389
It looks like the problem is with the missing /1 in
login01.example.com <http://login01.example.com> cookie. But I don't
understand this part. What does it mean and when is it added to the
cookie?
For the central weblogin server cookies, see the file cgi/cgi.c,
specifically lines that call snprintf with an variables whose names
contain the word "cookie". For example, from the loop_checker() function,
if ( snprintf( new_cookie, sizeof( new_cookie ),
"%s/%d/%d", cookie, time, count) >= sizeof( new_cookie )) {
"time" is a timestamp in seconds past the epoch, and "count" is how many
times we've been through the cgi. If "count" gets too high, the cgi
assumes that the user's web browser is stuck in an endless redirect
loop, and it stops trying to authenticate the user and displays an error
message to the user instead.
--
Mark Montague
m...@catseye.org
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss