CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cosign Re-Authentication Specification

Wesley Craig wrote:
On 25 Mar 2005, at 15:59, Cory Snavely wrote:


  I think there should be a "this isn't me--log on as a different
  person" button. Not quite sure how to word that, but I think it's
  needed to help the innocent victim.

Good idea. Let's add a button/text. If the user selects this path, they will logout the previous user, and be redirected back to the URL. Since the URL required (unsatisfied) reauthN, there should be no cached cookies, the "CHECK" will fail, a new service cookie will be set, and a login will be triggered.

Either that, or just go straight to weblogin.

  So, I would propose that service-side forcing of authen--IOW,  forcing
  authen *after* a service cookie exists--be considered a case of the
  "authen timeout" feature that has been discussed before. I would
  conceive this as Apache directives that specify pairs of regexps and
  time thresholds that the local cosign module enforces by ignoring  the
  service cookie if the age of authen falls outside the allowable
  parameters. Set it to 15 seconds for a regexp that matches your VISA
  card entry page URL; set it to 10 minutes for a regexp that matches
  the whole financial module of your application.

As of 1.7.x, cosign service cookies have timeouts. Currently, they are server-wide, but it could be moved to a directory/location.

Oh--cool. :) I guess I need to read the release notes more closely! If I run across a need to have this directive supported at something more granular than per-server, I'll post it as an example.


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010