CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Transferring a Session

On May 3, 2004, at 6:33 PM, David Robert wrote:
I have a problem I would like some input on. I need to implement a solution
that allows one website to securely transfer 'logged in' state to another

You may find that the cosign project fulfills your needs:

Cosign is an open source single sign-on solution which manages user logins through a central server. Once registered with the central server, users can freely visit any cosign protected sites for which they have authorization. These protected sites connect to the central cosign server through a back-side SSL connection to verify authentication, and then create a service cookie for ease of subsequent service visits.

This software is currently being used by the University of Michigan to manage several hundred thousand logins a day: msg00005.html

3) System B is written in Java and uses SSL, form based, username/password authentication.

The cosign filters are put in place on the protected sites, and have been written for apache and IIS, and the java filter beta has recently been released.

The 'time dependent' nature of the last two are at the request of the
client. They are concerned that the link can be read from the browser's
cache by an attacker. Is this really a problem if the page on system A is
set to not be cached?

The idle and hard-limit timeouts of the cosign session are both configurable. Once a cosign session has ended either through a timeout, or a user-action logout, the service cookie becomes worthless.

Below is a link to a description that Penn State has written about cosign:

Feel free to contact cosign@xxxxxxxxx if you have further questions.

- Willie

Willie Northway                  University of Michigan Webmaster Team

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010