CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

REGISTER and a lost login cookie

  • To: cosign-discuss <cosign-discuss@xxxxxxxxx>
  • Subject: REGISTER and a lost login cookie
  • From: Brian Hatch <bri@xxxxxxxxx>
  • Date: Tue, 8 Mar 2005 23:56:43 -0800
  • User-agent: Mutt/1.5.6+20040907i

I am having some problems with my cosign instance with basicauth.

Say you log in, go get a service cookie or two, and then sit
idle.  Monster comes along and deletes the service cookie.
When you come back to either the login page (possibly via
a redirect by a service page) your browser sends the login
cookie which is no longer present in the daemon/ directory.

The basicosign.cgi program simply reads REMOTE_USER and then
connects to the cosign server on port 6663 and issues the

f_starttls arg 0: STARTTLS
f_register arg 0: REGISTER
f_register arg 1: cosign=GaKaf+9ne7JxhBo.....UvA6zZZ060Pg
f_register arg 2:
f_register arg 3:

Now, since the file /var/lib/cosign/daemon/cosign=GaKaf+9ne....
doesn't exist (monster ate it) then I'm getting an error in
the read_cookie() call inside f_register function.  (Note: 
would be nice to have a syslog call before the snet_write/return
to make debugging this easier.)

Is this to be expected?

I was thinking there are two ways around this (given that I'm
intercepting things before basicosign.cgi actually runs):

	* If I get an error from basicosign.cgi, then re-run it
	  without any login cookie - this will cause basicosign.cgi
	  to generate a new one, register it as a login cookie, and
	  pass it back to the browser.

	* Have my interceptor CGI look in the /var/lib/cosign/daemon
	  directory to see if the cookie is there, and if not clear
	  the cookie before running basicosign.cgi.  This suffers
	  from a race condition, in that monster could remove the
	  file between the time my interceptor sees it and
	  basicosign.cgi calls the daemon, and doesn't work when
	  the daemon is on a different machine at all.

Suggestions welcome....

[1] I modified all the f_ functions in command.c to include debug
    output by adding a line like the following just after all
    variable declarations, which is how I'm getting this output that
    is normally inside the SSL stream:

      int i; for ( i=0; i<ac; i++ ) { syslog( LOG_DEBUG, "f_login arg %d: %s",i,av[i]); }

Brian Hatch                  Initiative comes to those
   Systems and                who wait.
   Security Engineer

Every message PGP signed

Attachment: signature.asc
Description: Digital signature

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010