RE: Cross site "single sign on"
Howdy, We have a standalone authentication web service used by all our apps. It's cookie-based. Yoav Shapira Millennium ChemInformatics >-Original Message- >From: Tim Funk [mailto:[EMAIL PROTECTED] >Sent: Wednesday, December 03, 2003 6:54 AM >To: Tomcat Users List >Subject: Re: Cross site "single sign on" > >Sounds like pubcookie: >http://pubcookie.org/ > >-Tim > >Will Hartung wrote: >> Hi all! >> >> Not necessarily Tomcat specific, but I'm curious what others may have >done >> to support cross site single sign on. >> >> The basic problem is that customer goes to site A, and logs in. Then >while >> navigating that site, they eventually head over to site B. >> >> Of course when they hit site B, the customer should already be "logged >in". >> >> If site A and site B live in the same domain space (say, site.com and >> b.site.com), then a "site.com" cookie should be able to be used as a >token >> that show login. Of course, this requires cookies. It also requires both >> sites to "maintain" the cookie if the cookie is allowed to expire (say, >it's >> only useful for 30 minutes). >> >> However I think this would have to be a "signed" cookie, where both >> participating servers encrypt to cookie with a known key (perhaps a >shared >> public key). >> >> Now, if you have sitea.com and siteb.com, then the cookie technique can't >> work (as neither can set a cookie for the other). So, I'm thinking that >you >> can do something similiar, a signed token, in a hidden field and then >having >> to submit a form to get to the new site. >> >> Of course, you can always stick the token on the URL as well. >> >> Does that sum it up? Any other ways for cooperating sites to >"transparently" >> exchange credentials? I suppose the back ends can do it. Send signed >packets >> to each other during their log in processes to notify cooperating >services. >> >> But if your logins "time out", you still need to constantly update the >> session information. It's not enough to know that "Bob signed in at 10am, >> and expires at 10:30". If Bob actively uses the site, you want the time >out >> to be since last activity. >> >> How are others doing this and what have you found effective? >> >> Regards, >> >> Will Hartung >> ([EMAIL PROTECTED]) >> > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cross site "single sign on"
Sounds like pubcookie: http://pubcookie.org/ -Tim Will Hartung wrote: Hi all! Not necessarily Tomcat specific, but I'm curious what others may have done to support cross site single sign on. The basic problem is that customer goes to site A, and logs in. Then while navigating that site, they eventually head over to site B. Of course when they hit site B, the customer should already be "logged in". If site A and site B live in the same domain space (say, site.com and b.site.com), then a "site.com" cookie should be able to be used as a token that show login. Of course, this requires cookies. It also requires both sites to "maintain" the cookie if the cookie is allowed to expire (say, it's only useful for 30 minutes). However I think this would have to be a "signed" cookie, where both participating servers encrypt to cookie with a known key (perhaps a shared public key). Now, if you have sitea.com and siteb.com, then the cookie technique can't work (as neither can set a cookie for the other). So, I'm thinking that you can do something similiar, a signed token, in a hidden field and then having to submit a form to get to the new site. Of course, you can always stick the token on the URL as well. Does that sum it up? Any other ways for cooperating sites to "transparently" exchange credentials? I suppose the back ends can do it. Send signed packets to each other during their log in processes to notify cooperating services. But if your logins "time out", you still need to constantly update the session information. It's not enough to know that "Bob signed in at 10am, and expires at 10:30". If Bob actively uses the site, you want the time out to be since last activity. How are others doing this and what have you found effective? Regards, Will Hartung ([EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Cross site "single sign on"
Hi all! Not necessarily Tomcat specific, but I'm curious what others may have done to support cross site single sign on. The basic problem is that customer goes to site A, and logs in. Then while navigating that site, they eventually head over to site B. Of course when they hit site B, the customer should already be "logged in". If site A and site B live in the same domain space (say, site.com and b.site.com), then a "site.com" cookie should be able to be used as a token that show login. Of course, this requires cookies. It also requires both sites to "maintain" the cookie if the cookie is allowed to expire (say, it's only useful for 30 minutes). However I think this would have to be a "signed" cookie, where both participating servers encrypt to cookie with a known key (perhaps a shared public key). Now, if you have sitea.com and siteb.com, then the cookie technique can't work (as neither can set a cookie for the other). So, I'm thinking that you can do something similiar, a signed token, in a hidden field and then having to submit a form to get to the new site. Of course, you can always stick the token on the URL as well. Does that sum it up? Any other ways for cooperating sites to "transparently" exchange credentials? I suppose the back ends can do it. Send signed packets to each other during their log in processes to notify cooperating services. But if your logins "time out", you still need to constantly update the session information. It's not enough to know that "Bob signed in at 10am, and expires at 10:30". If Bob actively uses the site, you want the time out to be since last activity. How are others doing this and what have you found effective? Regards, Will Hartung ([EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]