RE: [users@httpd] mod_proxy/mod_proxy_html

Tue, 16 Aug 2005 02:01:55 -0700 

Set-Cookie: CASTGC=TGC-1-1N7IaTahULnxb6P8E46x2iG5BoG5PDcwQg8AaLyCEFPL6VgwzV; 
Path=/cas; Secure
                                                                             
^^^^^^^^^^^^^^^^^^
Set-Cookie: CASPRIVACY=enabled; Path=/cas; Secure
                               ^^^^^^^^^^^^^^^^^^^^

The cookie is not submitted to the application for two reasons:
- it is flagged as secure and you access the application using HTTP and not 
HTTPS
- the path to the j_security_check servlet is not in the Cookie path /cas

You need to resolve the two above issues in order to make it work. It is likely 
possible to define the path of the logon cookie in your SSO application 
configuration. In that case you should probably set it to /. You can probably 
also turn off the secure cookie stuff if you really want to, i.e. you do not 
consider it as likely that anyone will succeed in a replay attack.

BR
-ascs

-----Original Message-----
From: Shahzad Bhatti [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 15, 2005 6:40 PM
To: [email protected]; [email protected]
Subject: RE: [EMAIL PROTECTED] mod_proxy/mod_proxy_html

I can see from the live header, that the single sign on server is setting 
cookie, i.e., 
http://extranet.hendrickson-intl.com/cas/login?service=http%3A%2F%2Fwd-prtlsrv1%3A8080%2Fwcs%2Fj_security_check
 HTTP/1.1
Set-Cookie: CASTGC=TGC-1-1N7IaTahULnxb6P8E46x2iG5BoG5PDcwQg8AaLyCEFPL6VgwzV; 
Path=/cas; Secure
Set-Cookie: CASPRIVACY=enabled; Path=/cas; Secure


it then redirects to application, i.e.
GET 
http://extranet.hendrickson-intl.com/wcs/j_security_check?ticket=ST-1-QKX76eV2KhxqMIp3MPvd
 

Note that j_security_check is a filter in the application that validates the 
ticket issued by the single sign on. However, it doesn't see above cookie.
Is there a way to pass cookie from single-sign-on module to the application. 
The cookie doesn't have any domain when it is returned.
Not that, we don't have source code of the single sign on module, so there is 
very little we can change.
Thanks.
-Shahzad Bhatti


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to