Re: Bypass Authentication



It depends on details that I don't know and would have no way of knowing.

Assuming that the server at location 3 requires a cookie to be sent to it to
provide authentication information, you need to find a way to get the
browser to send that cookie. Normally, browsers send cookies as a result of
a server sending them a Set-Cookie response header or by having a file based
cookie already on the local client that the browser would then send.

I have no idea:
- if you need a cookie here (because you don't seem to know yet)
- how you are launching the browser
- how you would get the browser to send a cookie in the request (assuming
you actually need a cookie in the first place)

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F472507E-A5D9-4743-80BC-BDCEC01534E9@xxxxxxxxxxxxxxxx
Sorry for repeatedly asking this....

Would the below is possible if we are dealing with 2 different
locations/network.

Client Comm Server Company
Web/Auth Server
(Location 1) (Location 2)
(Location 3)

First Authorization/Communication occurs between Location 2 and Location
3,
the subsequent Browser Launching Occurs in Location 1 (to Location 3),
here
Location 1 need to use the auth information from Location 2.

Once again, Thank you very much for your patience and the response.




"Joe Kaplan" wrote:

Basically, if you have a web client of some sort that provides some
authentication data and receives a cookie back that can be used for
subsequent authentication, then it is likely that you can capture the
cookie
returned from the server and use that in a different request.

The actual mechanics of this will vary, but to give you an example, if
you
program with .NET HttpWebRequest and HttpWebResponse, you have access to
Cookies collections that contain the cookies the server sends to the
client
and cookies the client sends to the server.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DA5C83B5-9548-4DEE-B1A2-3D66703F12ED@xxxxxxxxxxxxxxxx
Thank you for responding, I will try that as well.

All Novell does is LDAP verification, but the Auth Session/Cookie that
gets
established on the Client is what I would like to re-use, but they are
not
different network.

From the browser stand point would it be possible to launch a brower
with
the Auth Session/Cookie that got established from a different
machine/client.
If so, can you please give me some details.

Thank you in advance.



"Joe Kaplan" wrote:

It really seems like you should be asking this on a forum that has
more
information regarding how the Novell system works here. There may be
a
cookie or other session token related to this that you can reuse, but
if
the
authentication method is proprietary, you need to find out those
proprietary
details.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FDFAE179-7AF0-450D-9264-1BAAEE5B5E8D@xxxxxxxxxxxxxxxx
One of the thought we have is...

Is there were a way that the Session/Auth Cookie that got
established
on
Step 3 be copied or created on the Client Machine (Step 5) and get
used
in
(Step 6 - to bypass authentication) .

"Enthu" wrote:

I have a security question and would like to see if there are any
options
to
overcome this issue. Please read below for the sequence of process
that
is
occurring and the issue that I am having...

Step 1: Client Machine sends XML data to an external Communication
Server
Step 2: Communication Server reformats the XML data received from
the
Client
Machine
Step 3: Communication Server then Posts (SSL) the reformatted XML
with
a
Userid and Password to a company website (which uses Novell iChain
for
authorization)
Step 4: Company Website processes the received XML data and returns
a
Response with a URL to launch on the Client Machine
Step 5: Communication Server returns the data to the Client and
launches
a
browser with the URL (Page to a Company Website) from the XML
reponse
Step 6: At this point the Client is required to Login (due to
Novell
iChain
security on the Company Website)

For ease of use, our company would prefer to not have the user
enter
the
UserName and Password, but still be able to launch the URL and pass
the
credentials.

Any response would be very much appreciated









.



Relevant Pages

  • Re: Chicken and egg issue with Cookie based login?
    ... >> Cookies are created by the server, not by the client. ... a client can create a cookie as well. ... The credentials are created when the user logs into the server. ...
    (comp.security.misc)
  • Re: Bypass Authentication
    ... Joe Kaplan-MS MVP Directory Services Programming ... authentication cookie back to the Server at Location 3 from Location 1. ... the Third Party application to use this program to launch the browser. ... Assuming that the server at location 3 requires a cookie to be sent to it ...
    (microsoft.public.dotnet.security)
  • Re: If not readdir() then what?
    ... Please go read the NFS spec. ... The only thing an NFS client has in order ... filehandle and a cookie as its arguments. ... The server is expected to return cookies for _each_ ...
    (Linux-Kernel)
  • Re: Getting 12209 error on isa when server tries to connect to cookie enabled site. Xp workstation w
    ... and closed all handles to the original winhttp.dll on the win2003 server. ... This cookie is after an internal 302 redirect transmitted to the server ... First the client situation ... 2.The conclusion is that when Cookie header is sent from the server to ...
    (microsoft.public.isa)
  • Re: Cookie encryption?
    ... I'd like to encrypt the cookie on the client so ... could both encrypt the value and set the cookie via a HTTP-header ... available to the client; so he can only decrypt the cookie with it. ... scenario (and preferably done at the server). ...
    (comp.lang.javascript)