cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cosign Re-Authentication Specification
> this is very cool, and is some the University of Auckland would be very
> interested in also. One thing which might be nice (but is a larger
> impact) is the ability for the filter to tell the cosign server to
> reauthenticate (i.e. passing a reauth tag to the CGI, no registration
> etc). This means the filter might then be able to force the user to
> reauthenticate perhaps every 10 minutes to continue to access the
> financial system etc? What do you think? Also the advantage of this is
> it leads to forcing reauth for certain URLs in the application, like for
> example in the finacials, to change the pay rate or something like that.
The one big worry with any kind of 'more frequent authentication' system
is you probably want to disable the re-auth for POSTs, since that data
is lost in the redirects. On a POST heavy site, this could mean you
evade reauthenticating for a while, but I'd hate to be filling out my
billpay and lose it after I'd authenticated 10 minutes ago. GET re-auth
only, or configurable in httpd.conf.
Brian Hatch "I am a Ranger. We walk in the dark places
Systems and no others will enter. We stand on the
Security Engineer bridge and no one may pass.
http://www.ifokr.org/bri/ We live for the One, we die for the One."
Every message PGP signed
Description: Digital signature