	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Transferring a Session

To: "David Robert" <drobert@xxxxxxxxxxxxx>
Subject: Re: Transferring a Session
From: Willie Northway <willn@xxxxxxxxx>
Date: Wed, 5 May 2004 12:05:53 -0400
Cc: cosign-discussion@xxxxxxxxx, "<webappsec@xxxxxxxxxxxxxxxxx>" <webappsec@xxxxxxxxxxxxxxxxx>
In-reply-to: <NEBBKODEMFFOKFIMGOLHAEJKFAAA.drobert@djinnsoft.com>
References: <NEBBKODEMFFOKFIMGOLHAEJKFAAA.drobert@djinnsoft.com>

On May 3, 2004, at 6:33 PM, David Robert wrote:

I have a problem I would like some input on. I need to implement a solution that allows one website to securely transfer 'logged in' state to another website.

You may find that the cosign project fulfills your needs:

http://weblogin.org/

Cosign is an open source single sign-on solution which manages user logins through a central server. Once registered with the central server, users can freely visit any cosign protected sites for which they have authorization. These protected sites connect to the central cosign server through a back-side SSL connection to verify authentication, and then create a service cookie for ease of subsequent service visits.

This software is currently being used by the University of Michigan to manage several hundred thousand logins a day:

http://www.umich.edu/~umweb/software/cosign/cosign-discuss/ msg00005.html

3) System B is written in Java and uses SSL, form based, username/password authentication.

The cosign filters are put in place on the protected sites, and have been written for apache and IIS, and the java filter beta has recently been released.

The 'time dependent' nature of the last two are at the request of the client. They are concerned that the link can be read from the browser's cache by an attacker. Is this really a problem if the page on system A is set to not be cached?

The idle and hard-limit timeouts of the cosign session are both configurable. Once a cosign session has ended either through a timeout, or a user-action logout, the service cookie becomes worthless.

Below is a link to a description that Penn State has written about cosign:

http://et.aset.psu.edu/initiatives/credential/publications/

Feel free to contact cosign@xxxxxxxxx if you have further questions.

- Willie

--
Willie Northway                  University of Michigan Webmaster Team
http://willienorthway.com/       http://www.umich.edu/~umweb/

Prev by Date: Re: Cosign beginner questions
Next by Date: IISCosign 1.0.0 Installer bug
Previous by thread: Re: Cosign beginner questions
Next by thread: IISCosign 1.0.0 Installer bug
Index(es):
- Date
- Thread