cosign wiki:CosignCookies

From cosign wiki

Revision as of 16:10, 14 November 2006 by Jd@bnl.gov (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

There are two different classes of cookie used by Cosign: a login cookie and a service cookie. Both cookies are host cookies, meaning that only the host that sets them has access to retrieve them. New cookie values consist of 128 random characters. The backslash character / is reserved by Cosign as a separator and is not permitted as a random character. These strings are generated using OpenSSL.

Login Cookies

Login cookies are the keys by which a given browser identifies itself to the cosign server, and are generated by the CGI. They are of the format:
cosign=[128 character string of random bytes]/time_the_cookie_was_generated/registration_count

An example is:

cosign=4qkW7lHyvaVThEzuOxss28cQwURP846TFSs+TnanvI2P/1132593978/1

A time stamp is used to ensure that old login cookies retained by certain browsers can still be refreshed. If a login cookie is older than the default of 24 hours, a new cookie is issued. The registration count is used in the detection of register loops. If a user visits the login pages more than MAXLOOPCOUNT (10) times in LOOPWINDOW (30) seconds, their browser is redirected to a loop-breaking page to advise them of the registration problem.

Service Cookies

Service cookies are the keys by which a given browser identifies itself to the application server, and are generated by the filter. They are of the format:
cosign-service_name=[128 character string of random bytes]/time_the_cookie_was_generated

Upon creating a new cookie, the filter prepends cosign- to the service name, as defined by the filter's cosign service configuration. An example service cookie, in which the cosign service has been set to "example", looks like this:

cosign-example=oFxNMqPjNuSraSY+lIqDAzU1UDfsbp2JaHvm6mRP5jhRoIR...

A time stamp is used to ensure that old service cookies retained by certain browsers can still be refreshed. If a service cookie is older than the cookie expire time, which is set by the filter's configuration, a new cookie is issued.

Personal tools