	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

REGISTER and a lost login cookie

To: cosign-discuss <cosign-discuss@xxxxxxxxx>
Subject: REGISTER and a lost login cookie
From: Brian Hatch <bri@xxxxxxxxx>
Date: Tue, 8 Mar 2005 23:56:43 -0800
User-agent: Mutt/1.5.6+20040907i

I am having some problems with my cosign instance with basicauth.

Say you log in, go get a service cookie or two, and then sit
idle.  Monster comes along and deletes the service cookie.
When you come back to either the login page (possibly via
a redirect by a service page) your browser sends the login
cookie which is no longer present in the daemon/ directory.

The basicosign.cgi program simply reads REMOTE_USER and then
connects to the cosign server on port 6663 and issues the
following:[1]

f_starttls arg 0: STARTTLS
f_register arg 0: REGISTER
f_register arg 1: cosign=GaKaf+9ne7JxhBo.....UvA6zZZ060Pg
f_register arg 2: 192.168.1.1
f_register arg 3: cosign-hostname.example.com=n9-Tj3...+J9klJo---o

Now, since the file /var/lib/cosign/daemon/cosign=GaKaf+9ne....
doesn't exist (monster ate it) then I'm getting an error in
the read_cookie() call inside f_register function.  (Note: 
would be nice to have a syslog call before the snet_write/return
to make debugging this easier.)

Is this to be expected?

I was thinking there are two ways around this (given that I'm
intercepting things before basicosign.cgi actually runs):

	* If I get an error from basicosign.cgi, then re-run it
	  without any login cookie - this will cause basicosign.cgi
	  to generate a new one, register it as a login cookie, and
	  pass it back to the browser.

	* Have my interceptor CGI look in the /var/lib/cosign/daemon
	  directory to see if the cookie is there, and if not clear
	  the cookie before running basicosign.cgi.  This suffers
	  from a race condition, in that monster could remove the
	  file between the time my interceptor sees it and
	  basicosign.cgi calls the daemon, and doesn't work when
	  the daemon is on a different machine at all.




Suggestions welcome....



[1] I modified all the f_ functions in command.c to include debug
    output by adding a line like the following just after all
    variable declarations, which is how I'm getting this output that
    is normally inside the SSL stream:

      int i; for ( i=0; i<ac; i++ ) { syslog( LOG_DEBUG, "f_login arg %d: %s",i,av[i]); }


-- 
Brian Hatch                  Initiative comes to those
   Systems and                who wait.
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: REGISTER and a lost login cookie
  - From: Brian Hatch

Prev by Date: Cosign Friend Meetings, 3/14 and 3/16
Next by Date: Re: REGISTER and a lost login cookie
Previous by thread: Re: Cosign Friend Meetings, 3/14 and 3/16
Next by thread: Re: REGISTER and a lost login cookie
Index(es):
- Date
- Thread