WebApp Sec mailing list archives
RE: Cookie stealing and replay in a corporate single sign on environment
From: "Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>
Date: Wed, 15 Jun 2005 16:38:47 +0200
Hello Ivan
The only solution where I can see this approach working (for SSO deployments) is where a reverse proxy is used to terminate SSL and map all the web servers into a single domain space at the same time.
Yes, you are perfectly right. Thanks for clarifying this issue that I did not mention. It involves a secure reverse proxy or also so-called application security gateway component in front of the Web servers. This component would terminate SSL and map the real application sessions to one secure session. I believe this approach is a good idea anyway for doing authentication enforcement and overall filtering in SSO deployments. It enables SSL based session tracking and protection for all Web application sessions behind it. If there is no authentication enforcement unit in front of the SSO Web servers it is potentially possible to exploit vulnerabilities of those without being authenticated. We have already seen this a couple times out there ;-) Best regards, Cyrill Osterwalder Chief Technology Officer Seclutions AG http://www.seclutions.com
Current thread:
- Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 14)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willie Northway (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Saqib Ali (Jun 15)
- <Possible follow-ups>
- RE: Cookie stealing and replay in a corporate single sign on environment Cyrill Osterwalder (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Ivan Ristic (Jun 15)
- RE: Cookie stealing and replay in a corporate single sign on environment Cyrill Osterwalder (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)