Hi Josh,
Thanks for the feedback. I do use a shared secret as part of my scheme as
well, although I recently have wondered if that is the part that is causing
my process to 'hang' as it does.
Do you happen to have snippets of the code you plugged into the wiki code to
get the external cookie authentication to work? I'm interested in seeing
where I might be going wrong.
-----Original Message-----
From: mediawiki-l-bounces(a)Wikimedia.org
[mailto:mediawiki-l-bounces@Wikimedia.org] On Behalf Of Joshua Yeidel
Sent: Wednesday, January 11, 2006 8:59 PM
To: mediawiki list
Subject: Re: [Mediawiki-l] Authentication using existing domain cookie
You have to protect against three kinds of attacks (that is, attempts to
login without proper authentication in your main server):
1) forged cookies (plain text cookies are a snap to create)
2) tampered cookies (e.g., taking a valid cookie for "user=jones" and
changing it to "user=smith".
3) replayed cookies (e.g., "snooping" a cookie generated by a valid login
and re-using it later.
To protect against these attacks, your domain-wide cookie should have some
kind of authentication stamp. We do an MD5 hash of the username, a
timestamp, and a shared secret (shared by the servers that are 'in the club'
and no-one else). So our cookie* is created by the authentication server
as:
user=jones;time=999999999;MAC=7E848A98.....[more hex digits]
Where the "message authentication code" (MAC) is the MD5 hash referred to
above.
When the cookie is received by the wiki server, it is accepted only if:
1) the user, time, and shared secret, when hashed, give the same MAC
2) the timestamp is less than [some timeout number] seconds old.
This protects well against forged or tampered cookies, and protects somewhat
against replay attacks (protection is better when the timeout is shorter).
HTH,
-- Joshua
* In our case, it's not really a cookie, the information is passed in a
POST, but the principle is the same.
On 1/10/06 1:18 PM, "Domas Mituzas" <midom.lists(a)gmail.com> wrote:
Hi Justin,
So I guess my question is, should there be any
inherent problems
with trying
to assign the username using wiki's external authentication from a
cookie,
as opposed to REMOTE_USER or LDAP, etc?
On deployment for which I wrote this code we really use domain-wide
cookie instead of REMOTE_USER. Just make sure that user can't provide
invalid cookies.
Domas
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)Wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)Wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l