Shawn/Cameron, yeap thats a big hole and I plan to use *timestamp *to avoid it, but I dont know right now exactly how that will be done.
Dawn, SSO is handled through a seperate application. I believe I have done necessary things and I plan to do *more*, just to be on safe side/to make myself happy. Nobody has asked me to do it but I want to cover all bases. Thats how I do it always. So any suggestions for stopping replay attack. Ajas. On Tue, Jul 29, 2008 at 3:52 PM, Dawn Hoagland <[EMAIL PROTECTED]>wrote: > Are you using IIS/Kerberos authentication where it's all handled on the > server and pulling who it is from there - or is your SSO handled through a > separate "application" where (for instance) an encrypted cookie is set so > applications across several servers can utilize the cookie for > authentication - or something else entirely? > > Depending on the SSO implementation, you may be doing more than you need to > make it work. > > Dawn > > On Tue, Jul 29, 2008 at 3:28 PM, Ajas Mohammed <[EMAIL PROTECTED]> wrote: > >> Hi, >> >> I am implementing single sign on and after I verify user credentials, I >> have to redirect user to secure area which has its own login verification >> through uname pwd textbox, the usual way. >> >> The idea with single sign on is to avoid that login verification page. So, >> while redirecting user to secure area, I am planning to pass 2 parameters in >> cflocation i.e. 1. to indicate its single sign on, so in Application.cfm for >> secure area folder, I can set client variables 2. the encrypted value of >> random key generated using GenerateSecretKey func. >> >> here is some code/logic >> >> <cfset redirectToSS = "whatever"> >> >> <!--- generate a key, the alogorithm, encoding variables are set before >> this ---> >> <cfset key = GenerateSecretKey(algorithm)> >> >> <cfset redirectToSS = Encrypt(redirectToSS,key,algorithm,encoding) >> >> <cfset encKey = Encrypt(key,"sometext")> >> >> <cflocation >> url="../secureArea/MyHome.cfm?redirectToSS=#redirectToSS#&vartest=#encKey#" >> > >> >> Now in secureArea/Application.cfm >> >> I will use redirectToSS and varTest. First decrypt varTest to get keyvalue >> and then use key value to see whats in redirectToSS. >> So, >> <cfif redirectToSS eq "whatever"> >> set client variables that are needed to access application. >> </cfif> >> >> >> Does this makes sense? Is this approach safe, security wise, considering >> no one knows what algorithm, encoding iam using to encrypt redirectToSS and >> also the fact that the key is sent over encrypted. >> >> I am I missing something important here? Any holes in this approach? >> >> Thanks, >> >> -- >> <Ajas Mohammed /> >> http://ajashadi.blogspot.com >> We cannot become what we need to be, remaining what we are. >> No matter what, find a way. Because thats what winners do. >> You can't improve what you don't measure. >> Quality is never an accident; it is always the result of high intention, >> sincere effort, intelligent direction and skillful execution; it represents >> the wise choice of many alternatives. >> >> ------------------------------------------------------------- >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform >> >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by FusionLink <http://www.fusionlink.com> >> ------------------------------------------------------------- >> > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink <http://www.fusionlink.com> > ------------------------------------------------------------- > -- <Ajas Mohammed /> http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
