|
cosign-discuss at umich.edu |
| general discussion of cosign development and deployment | |
> this is very cool, and is some the University of Auckland would be very > interested in also. One thing which might be nice (but is a larger > impact) is the ability for the filter to tell the cosign server to > reauthenticate (i.e. passing a reauth tag to the CGI, no registration > etc). This means the filter might then be able to force the user to > reauthenticate perhaps every 10 minutes to continue to access the > financial system etc? What do you think? Also the advantage of this is > it leads to forcing reauth for certain URLs in the application, like for > example in the finacials, to change the pay rate or something like that. > Thoughts? The one big worry with any kind of 'more frequent authentication' system is you probably want to disable the re-auth for POSTs, since that data is lost in the redirects. On a POST heavy site, this could mean you evade reauthenticating for a while, but I'd hate to be filling out my billpay and lose it after I'd authenticated 10 minutes ago. GET re-auth only, or configurable in httpd.conf. -- Brian Hatch "I am a Ranger. We walk in the dark places Systems and no others will enter. We stand on the Security Engineer bridge and no one may pass. http://www.ifokr.org/bri/ We live for the One, we die for the One." Every message PGP signed
Attachment:
signature.asc
Description: Digital signature