	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cosign Re-Authentication Specification

To: Cory Snavely <csnavely@xxxxxxxxx>
Subject: Re: Cosign Re-Authentication Specification
From: Wesley Craig <wes@xxxxxxxxx>
Date: Fri, 25 Mar 2005 16:56:23 -0500
Cc: cosign-discuss Discussion <cosign-discuss@xxxxxxxxx>, tamerman@xxxxxxxxx, linderman Mark <mlinderm@xxxxxxxxxxxx>, bdandamu@xxxxxxxxx, daniel Drumm <dgdrumm@xxxxxxxxxxxx>, Seth Meyer <smeyer@xxxxxxxxxxxx>
In-reply-to: <42447BAD.1020700@umich.edu>
References: <62899842-9CA8-11D9-81A3-000A95E48A4E@umich.edu> <1111708551.5508.13.camel@localhost.localdomain> <20050325001001.GL4631@ifokr.org> <42447BAD.1020700@umich.edu>

On 25 Mar 2005, at 15:59, Cory Snavely wrote:

* Suggestion. On the re-auth page, it occurs to me that if someone
  *innocently* arrives there, they are unlikely to suffer through n
  attempts at impersonation without knowing that afterward they get
  to authenticate as themselves. The way it is currently kind of
  assumes they are up to no good.

  I think there should be a "this isn't me--log on as a different
  person" button. Not quite sure how to word that, but I think it's
  needed to help the innocent victim.

Good idea. Let's add a button/text. If the user selects this path, they will logout the previous user, and be redirected back to the URL. Since the URL required (unsatisfied) reauthN, there should be no cached cookies, the "CHECK" will fail, a new service cookie will be set, and a login will be triggered.

* I agree with the others that the *service* sometimes needs to have
  weblogin force reauthen. I definitely can think of instances where
  the service might want to decide to reauth--for example, for a
  particularly sensitive operation, as you see on e.g. buy.com or
  travelocity before you complete a transaction.
To do that securely, though, the application must somehow communicate that need to the local cosign module or weblogin. I think this is trickier than it sounds to do in such a way that the user can't easily defeat. The two secure approaches I can think of require state.

So, I would propose that service-side forcing of authen--IOW, forcing authen *after* a service cookie exists--be considered a case of the "authen timeout" feature that has been discussed before. I would conceive this as Apache directives that specify pairs of regexps and time thresholds that the local cosign module enforces by ignoring the service cookie if the age of authen falls outside the allowable parameters. Set it to 15 seconds for a regexp that matches your VISA card entry page URL; set it to 10 minutes for a regexp that matches the whole financial module of your application.
  So, a distinctly different feature, and not combined with this
  proposed reauth change for whole services that always require
  reauthen for entry.

As of 1.7.x, cosign service cookies have timeouts. Currently, they are server-wide, but it could be moved to a directory/location.

:wes

Follow-Ups:
- Re: Cosign Re-Authentication Specification
  - From: johanna bromberg craig
- Re: Cosign Re-Authentication Specification
  - From: Cory Snavely

References:
- Cosign Re-Authentication Specification
  - From: johanna bromberg craig
- Re: Cosign Re-Authentication Specification
  - From: Brett Lomas
- Re: Cosign Re-Authentication Specification
  - From: Brian Hatch
- Re: Cosign Re-Authentication Specification
  - From: Cory Snavely

Prev by Date: Re: Cosign Re-Authentication Specification
Next by Date: Re: Cosign Re-Authentication Specification
Previous by thread: Re: Cosign Re-Authentication Specification
Next by thread: Re: Cosign Re-Authentication Specification
Index(es):
- Date
- Thread