Re: [Cosign-discuss] Problem Embedding Login

Tue, 22 Jan 2013 05:58:55 -0800 

On January 22, 2013 5:19 , Florian Mueller <flo2muel...@gmail.com> wrote:
I'm trying to create an embedded login screen using cosign which turns out to be not as straight-forward as I expected. ;) 


Problem is, I don't want users to be redirected to the login screen 
all the time. I want to be able to integrate the login screen in 
different pages, like a widget or similar.



How does the user know that the cosign-protected web server running this 
web application has not been compromised, and that the embedded widget 
is legitimate rather than being a form that was put up by an attacker 
who compromised the web app?  (We try to train our users here to never 
provide their username and password to any web site except for the 
central weblogin server.)





When I login directly over login01.example.com 
<http://login01.example.com> I get back the following cookies:



login01.example.com 
<http://login01.example.com>FALSE/TRUE0cosignhrF9tJpx[...]/1358849389/1
service03.example.com 
<http://service03.example.com>FALSE/TRUE0cosign-service03rlh3-Zvmo/1358849389



It looks like the problem is with the missing /1 in 
login01.example.com <http://login01.example.com> cookie. But I don't 
understand this part. What does it mean and when is it added to the 
cookie?



For the central weblogin server cookies, see the file cgi/cgi.c, 
specifically lines that call snprintf with an variables whose names 
contain the word "cookie".  For example, from the loop_checker() function,


        if ( snprintf( new_cookie, sizeof( new_cookie ),
                "%s/%d/%d", cookie, time, count) >= sizeof( new_cookie )) {


"time" is a timestamp in seconds past the epoch, and "count" is how many 
times we've been through the cgi.  If "count" gets too high, the cgi 
assumes that the user's web browser is stuck in an endless redirect 
loop, and it stops trying to authenticate the user and displays an error 
message to the user instead.


--
  Mark Montague
  m...@catseye.org


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss






















					Reply via email to