[unisog] Using cookies for authentication

H. Morrow Long morrow.long at yale.edu
Fri Mar 7 21:08:13 GMT 2003


Russell,

You might also want to look at the issues we evaluated in our
web based SSO system (which is also based on cookies) called
CAS (Central Authentication System).  You can see how we prevent
a rogue web server or machine from grabbing the cookie and abusing
it (your 2nd scenario) -- we create cookie 'tickets' for the
service which are one time only and only good for the particular
service (only this ticket cookie is 'given up' to the untrusted
service.  All web servers are untrusted btw.).

You can find detailed documenation on CAS 1.0 and 2.0 at:

	http://www.yale.edu/tp/auth/

H. Morrow Long


Russell Fulton wrote:
> Hi All,
> 	We are currently looking at a new web based application that uses
> cookies for authentication.  The cookies contains amongst other things,
> userid, issue time, the issuing system ID and a SHA1 hash of the
> contents (and a secret) to prevent one changing the cookie.  All
> exchanges of the cookies over the network are via SSL and the cookie
> also had flags that tell the browser not to write it to disk.
> 
> So far as I can tell if an attacker can steal a cookie then they can use
> it to impersonate the cookie's owner for the lifetime of the cookie.
> 
> We are try to do a risk analysis of this system and so I am trying to
> figure out how easy (or otherwise) it is to steal memory based cookies
> from systems running common browsers (mostly IE, some old :( ).
> 
> Two schemes that occur to me are 1/ to tamper with the browser (so it
> writes the cookie to disk or better still sends it directly to the
> attacker) or 2/ to introduce malware on the the user's computer that
> will search for the cookie in memory and send it to the attacker.  If an
> attacker has the ability to do either of these things then they could
> probably also install keyboard loggers and grab the users credentials
> directly -- something that affects almost all authentication systems so
> I am ignoring this for this particular exercise.
> 
> What I am really focusing on is the risk of browser bugs and XSS bugs
> that might allow the cookie to be stolen.  We must assume that the
> attacker may have a web server under their control in the same domain as
> the cookie and that they may be able to induce users to visit the site.
> 
> Any thoughts or references gratefully received.
> 




More information about the unisog mailing list