RE: [users@httpd] mod_proxy/mod_proxy_html

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I can see from the live header, that the single sign on server is setting
cookie, i.e.,
http://extranet.hendrickson-intl.com/cas/login?service=http%3A%2F%2Fwd-prtlsrv1%3A8080%2Fwcs%2Fj_security_check HTTP/1.1
Set-Cookie: CASTGC=TGC-1-1N7IaTahULnxb6P8E46x2iG5BoG5PDcwQg8AaLyCEFPL6VgwzV; Path=/cas; Secure
Set-Cookie: CASPRIVACY=enabled; Path=/cas; Secure


it then redirects to application, i.e.
GET http://extranet.hendrickson-intl.com/wcs/j_security_check?ticket=ST-1-QKX76eV2KhxqMIp3MPvd 

Note that j_security_check is a filter in the application that validates
the ticket issued by the single sign on. However, it doesn't see above
cookie.
Is there a way to pass cookie from single-sign-on module to 
the application. The cookie doesn't have any domain when it is returned.
Not that, we don't have source code of the single sign on module, so
there is very little we can change.
Thanks.
-Shahzad Bhatti




-----Original Message-----
From:	Axel-Stéphane  SMORGRAV [mailto:Axel-Stephane.SMORGRAV@xxxxxxxxxxxxxx]
Sent:	Fri 8/12/2005 2:54 AM
To:	users@xxxxxxxxxxxxxxxx
Cc:	
Subject:	RE: [users@httpd] mod_proxy/mod_proxy_html
What you need to do is use LiveHTTPHeaders in order to verify that the cookie is indeed delivered to your browser as a Set-Cookie response header. I guess this is done in the HTTP 302 in response to GET https://extranet.hendrickson-intl.com/cas/login?service=http%3A%2F%2Fextranet.hendrickson-intl.com%3A80%2Fwcs%2Fj_security_check.

If that login cookie is "secure" (that is a parameter of the cookie), your browser will not submit it in a request which is not sent over httpS. From what I have understood from your mails, you access your application with http (no S). That may explain why the cookies are not submitted.

Another thing that might prevent the browser from submitting the cookie is a mismatch between the cookie domain and the host part of the URL. In order to be submitted, the cookie domain should be extranet.hendrickson-intl.com or hendrickson-intl.com. If that is not the case, the browser will not submit the cookie in requests.

If you are uncertain about what is happening, please post the full LiveHTTPHeaders trace starting with the request for https://extranet.hendrickson-intl.com/cas/login?service=http%3A%2F%2Fextranet.hendrickson-intl.com%3A80%2Fwcs%2Fj_security_check, through the first access to http://extranet.hendrickson-intl.com/wcs/j_security_check?ticket=xxx


Another thing is that there is a little voice in my head telling me that this is not a cookie problem. I am trying to have him shut up, but the little fellow keeps bugging me.

I noticed that the query string in the URL http://extranet.hendrickson-intl.com/wcs/j_security_check?ticket=ST-11-vPSm2DSGExfFDlJ6Axb6 contains a variable named "ticket". Would that by any chance be the sign-in ticket??

Then, if the j_security_check failed, I would expect a redirection to the login service, not to another j_security_check...

-ascs

-----Original Message-----
From: Shahzad Bhatti [mailto:sbhatti@xxxxxxxxxxx] 
Sent: Thursday, August 11, 2005 6:46 PM
To: users@xxxxxxxxxxxxxxxx
Subject: RE: [users@httpd] mod_proxy/mod_proxy_html

Axel,
  Thanks again, it worked and I was able to go further, however I ran into another problem. We are using single-sign-on that stores ticket in cookie, however it looks like this cookie is not being passed to the client. And it goes into loop, i.e.,
-- AFTER SUCCESSFUL LOGIN, THE USER IS DIRECTED TO THE APPLICATION (WHICH VERIFIES TICKET)
http://extranet.hendrickson-intl.com/wcs/j_security_check?ticket=ST-11-vPSm2DSGExfFDlJ6Axb6

GET /wcs/j_security_check?ticket=ST-11-vPSm2DSGExfFDlJ6Axb6 HTTP/1.1
Referer: http://extranet.hendrickson-intl.com/cas/login?service=http%3A%2F%2Fwd-prtlsrv1%3A8080%2Fhendrickson%2Fj_security_check


AND IT'S SENDING REDIRECT TO THE SAME URL

HTTP/1.x 302 Moved Temporarily
Location: http://extranet.hendrickson-intl.com/wcs/j_security_check?ticket=ST-11-vPSm2DSGExfFDlJ6Axb6

Is there any way to add cookie support and break this loop.
Regards,
Shahzad Bhatti
Integrated Software Specialists
http://www.issintl.com
1901 North Roselle Road, Suite 450
Schaumburg, IL 60195
Phone: 847-558-5342
Fax: 847-240-5073




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux