tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Niven <John.Ni...@marcat.com>
Subject RE: Single sign-on for Tomcat/IIS realms
Date Wed, 23 Jan 2002 16:18:52 GMT
Whoops, just realised the security implications of my suggestion - click
"back" while logging in and -boom!- you're "authenticated".  Any other
takers?

John

--
John Niven
(Reply via newsgroup/mailing list)

> -----Original Message-----
> From: John Niven [mailto:John.Niven@marcat.com] 
> Sent: 23 January 2002 16:16
> To: 'Tomcat Users List'
> Subject: RE: Single sign-on for Tomcat/IIS realms
> 
> 
> Andrew
> 
> From JSP, you could get the logon page to set a cookie (and 
> the logon-fail page to unset it), then have JSP and ASP pages 
> look for the same cookie. Although I'm primarily an ASP 
> developer, I tend to roll my own logons for ASP, so can't 
> help with the ins-and-outs of IIS authentication, but I'd 
> imagine something similar is possible with ASP authentication.
> 
> Naturally, a cookie with name="authenticated" and 
> value="true" would be easy to forge, so you'd probably want 
> to do something like set the cookie a hash of the (i) 
> client's IP address and (ii) a nonce-value that changes, say, 
> daily or hourly.
> 
> Hope this helps,
> John
> 
> --
> John Niven
> (Reply via newsgroup/mailing list)
> 
> 
> > -----Original Message-----
> > From: Andrew [mailto:asd@ezan.ac.ru]
> > Sent: 23 January 2002 11:19
> > To: Tomcat Users List
> > Subject: Single sign-on for Tomcat/IIS realms
> > 
> > 
> >     Hi, how I can implement single sign-on for
> > Tomcat/IIS(ASP.NET) user realms.Both servers work on the same 
> > machine and use cookies for authentification. More precisely, 
> > I want IIS session was authentificated if Tomcat is.
> > 
> > Thanks.
> > 
> > 
> > 
> > 
> > --
> > To unsubscribe:   
> <mailto:tomcat-user-> unsubscribe@jakarta.apache.org>
> > For 
> additional commands: 
> <mailto:tomcat-user-help@jakarta.apache.org>
> > Troubles with the list: 
> <mailto:tomcat-user-owner@jakarta.apache.org>
> > 
> 
> --
> To 
> unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
> Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>
> 

--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message