Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Transferring a Session
From: Willie Northway <willn () umich edu>
Date: Wed, 5 May 2004 12:05:53 -0400

On May 3, 2004, at 6:33 PM, David Robert wrote:
I have a problem I would like some input on. I need to implement a solution that allows one website to securely transfer 'logged in' state to another

You may find that the cosign project fulfills your needs:


Cosign is an open source single sign-on solution which manages user logins through a central server. Once registered with the central server, users can freely visit any cosign protected sites for which they have authorization. These protected sites connect to the central cosign server through a back-side SSL connection to verify authentication, and then create a service cookie for ease of subsequent service visits.

This software is currently being used by the University of Michigan to manage several hundred thousand logins a day:

http://www.umich.edu/~umweb/software/cosign/cosign-discuss/ msg00005.html

3) System B is written in Java and uses SSL, form based, username/password authentication.

The cosign filters are put in place on the protected sites, and have been written for apache and IIS, and the java filter beta has recently been released.

The 'time dependent' nature of the last two are at the request of the
client. They are concerned that the link can be read from the browser's
cache by an attacker. Is this really a problem if the page on system A is
set to not be cached?

The idle and hard-limit timeouts of the cosign session are both configurable. Once a cosign session has ended either through a timeout, or a user-action logout, the service cookie becomes worthless.

Below is a link to a description that Penn State has written about cosign:


Feel free to contact cosign () umich edu if you have further questions.

- Willie

Willie Northway                  University of Michigan Webmaster Team
http://willienorthway.com/       http://www.umich.edu/~umweb/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]