The Underscore Archives

On 1 Nov 2007, at 10:18, Adam Cullen wrote:

>
> To be honest, the more I thought about this after I posted  
> yesterday the
> more I realised that it's no less secure than a standard login  
> system, you
> could say it's just as easy to hijack another persons session in  
> the same
> way. I'd suggest using a GUID for the OID and encrypting it for  
> making the
> request from the image. Not sure what other peoples opinions are on  
> this?
> I'm not speaking from first hand experience and I don't claim to be a
> security expert.

The pattern that most SSOs use (CAS, Webauth, OpenID, etc) is that  
the user visits the site they are going to, if they need to login  
then they are redirected to another site (in the case of OpenID this  
is your OpenID provider's site).  You login to this site and it then  
redirects you back to the site you were going to along with some  
cryptographically signed token in the query string.  The main site  
then checks that token and sets you a cookie itself to indicate you  
are logged in.  The OpenID provider site also set a cookie for you,  
so that when you visit the next SSO site and are redirected to your  
OpenID provider site you don't need to enter your username and  
password again.

All the main systems use some kind of variant on this system.  I'm  
not sure how the big commercial sites like yahoo.com deal with this  
but I'd imagine they do something similar.  When I go to  
groups.yahoo.com it already knows me as I logged into mail.yahoo.com  
earlier.  I've not followed the HTTP requests but I'd imagine it is  
similar.

-Matt

-- 
Matt Hamilton                                       matth at netsight.co.uk
Netsight Internet Solutions, Ltd.        Business Vision on the Internet
http://www.netsight.co.uk                             +44 (0)117 9090901
Web Design | Zope/Plone Development & Consulting | Co-location | Hosting