RE: [users@httpd] mod_proxy/mod_proxy_html

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Set-Cookie: CASTGC=TGC-1-1N7IaTahULnxb6P8E46x2iG5BoG5PDcwQg8AaLyCEFPL6VgwzV; Path=/cas; Secure
                                                                             ^^^^^^^^^^^^^^^^^^
Set-Cookie: CASPRIVACY=enabled; Path=/cas; Secure
                               ^^^^^^^^^^^^^^^^^^^^

The cookie is not submitted to the application for two reasons:
- it is flagged as secure and you access the application using HTTP and not HTTPS
- the path to the j_security_check servlet is not in the Cookie path /cas

You need to resolve the two above issues in order to make it work. It is likely possible to define the path of the logon cookie in your SSO application configuration. In that case you should probably set it to /. You can probably also turn off the secure cookie stuff if you really want to, i.e. you do not consider it as likely that anyone will succeed in a replay attack.

BR
-ascs

-----Original Message-----
From: Shahzad Bhatti [mailto:sbhatti@xxxxxxxxxxx] 
Sent: Monday, August 15, 2005 6:40 PM
To: users@xxxxxxxxxxxxxxxx; users@xxxxxxxxxxxxxxxx
Subject: RE: [users@httpd] mod_proxy/mod_proxy_html

I can see from the live header, that the single sign on server is setting cookie, i.e., http://extranet.hendrickson-intl.com/cas/login?service=http%3A%2F%2Fwd-prtlsrv1%3A8080%2Fwcs%2Fj_security_check HTTP/1.1
Set-Cookie: CASTGC=TGC-1-1N7IaTahULnxb6P8E46x2iG5BoG5PDcwQg8AaLyCEFPL6VgwzV; Path=/cas; Secure
Set-Cookie: CASPRIVACY=enabled; Path=/cas; Secure


it then redirects to application, i.e.
GET http://extranet.hendrickson-intl.com/wcs/j_security_check?ticket=ST-1-QKX76eV2KhxqMIp3MPvd 

Note that j_security_check is a filter in the application that validates the ticket issued by the single sign on. However, it doesn't see above cookie.
Is there a way to pass cookie from single-sign-on module to the application. The cookie doesn't have any domain when it is returned.
Not that, we don't have source code of the single sign on module, so there is very little we can change.
Thanks.
-Shahzad Bhatti


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux