 |
cosign-discuss at umich.edu
|
|
general discussion of cosign development and deployment
|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cosign Re-Authentication Specification
> this is very cool, and is some the University of Auckland would be very
> interested in also. One thing which might be nice (but is a larger
> impact) is the ability for the filter to tell the cosign server to
> reauthenticate (i.e. passing a reauth tag to the CGI, no registration
> etc). This means the filter might then be able to force the user to
> reauthenticate perhaps every 10 minutes to continue to access the
> financial system etc? What do you think? Also the advantage of this is
> it leads to forcing reauth for certain URLs in the application, like for
> example in the finacials, to change the pay rate or something like that.
> Thoughts?
The one big worry with any kind of 'more frequent authentication' system
is you probably want to disable the re-auth for POSTs, since that data
is lost in the redirects. On a POST heavy site, this could mean you
evade reauthenticating for a while, but I'd hate to be filling out my
billpay and lose it after I'd authenticated 10 minutes ago. GET re-auth
only, or configurable in httpd.conf.
--
Brian Hatch "I am a Ranger. We walk in the dark places
Systems and no others will enter. We stand on the
Security Engineer bridge and no one may pass.
http://www.ifokr.org/bri/ We live for the One, we die for the One."
Every message PGP signed
Attachment:
signature.asc
Description: Digital signature
| 
