Re: Bypass Authentication

Please let me know what kind of information you need to make a determination
on this. I am not trying to be painful here, want to make sure that I give
you the right information.

"Joe Kaplan" wrote:

I believe it is possible but I definitely can't help with the details until
you get some more details as to how the system actually is going to work. I
don't think we know enough yet to confirm whether it can actually be made to
work.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E30C3250-A32E-451B-AE23-A05D23008F88@xxxxxxxxxxxxxxxx
I believe we are on the same page now...

1) Yes I believe the issue can be resolved if we are able to pass the
authentication cookie back to the Server at Location 3 from Location 1.

2) I am not sure how it is done exactly, as it is done by the Third Party
application.

3) If I write a .NET program, which accepts the URL, cookie(Id), which in
turn creates a cookie on the client and launch the browser, and provide it
to
the Third Party application to use this program to launch the browser.

Do you believe that there is a possibility that the above would work?

Thank you for taking time in working this through with me.


"Joe Kaplan" wrote:

It depends on details that I don't know and would have no way of knowing.

Assuming that the server at location 3 requires a cookie to be sent to it
to
provide authentication information, you need to find a way to get the
browser to send that cookie. Normally, browsers send cookies as a result
of
a server sending them a Set-Cookie response header or by having a file
based
cookie already on the local client that the browser would then send.

I have no idea:
- if you need a cookie here (because you don't seem to know yet)
- how you are launching the browser
- how you would get the browser to send a cookie in the request
(assuming
you actually need a cookie in the first place)

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F472507E-A5D9-4743-80BC-BDCEC01534E9@xxxxxxxxxxxxxxxx
Sorry for repeatedly asking this....

Would the below is possible if we are dealing with 2 different
locations/network.

Client Comm Server
Company
Web/Auth Server
(Location 1) (Location 2)
(Location 3)

First Authorization/Communication occurs between Location 2 and
Location
3,
the subsequent Browser Launching Occurs in Location 1 (to Location 3),
here
Location 1 need to use the auth information from Location 2.

Once again, Thank you very much for your patience and the response.




"Joe Kaplan" wrote:

Basically, if you have a web client of some sort that provides some
authentication data and receives a cookie back that can be used for
subsequent authentication, then it is likely that you can capture the
cookie
returned from the server and use that in a different request.

The actual mechanics of this will vary, but to give you an example, if
you
program with .NET HttpWebRequest and HttpWebResponse, you have access
to
Cookies collections that contain the cookies the server sends to the
client
and cookies the client sends to the server.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DA5C83B5-9548-4DEE-B1A2-3D66703F12ED@xxxxxxxxxxxxxxxx
Thank you for responding, I will try that as well.

All Novell does is LDAP verification, but the Auth Session/Cookie
that
gets
established on the Client is what I would like to re-use, but they
are
not
different network.

From the browser stand point would it be possible to launch a brower
with
the Auth Session/Cookie that got established from a different
machine/client.
If so, can you please give me some details.

Thank you in advance.



"Joe Kaplan" wrote:

It really seems like you should be asking this on a forum that has
more
information regarding how the Novell system works here. There may
be
a
cookie or other session token related to this that you can reuse,
but
if
the
authentication method is proprietary, you need to find out those
proprietary
details.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FDFAE179-7AF0-450D-9264-1BAAEE5B5E8D@xxxxxxxxxxxxxxxx
One of the thought we have is...

Is there were a way that the Session/Auth Cookie that got
established
on
Step 3 be copied or created on the Client Machine (Step 5) and
get
used
in
(Step 6 - to bypass authentication) .

"Enthu" wrote:

I have a security question and would like to see if there are
any
options
to
overcome this issue. Please read below for the sequence of
process
that
is
occurring and the issue that I am having...

Step 1: Client Machine sends XML data to an external
Communication
Server
Step 2: Communication Server reformats the XML data received
from
the
Client
Machine
Step 3: Communication Server then Posts (SSL) the reformatted
XML
with
a
Userid and Password to a company website (which uses Novell
iChain
for
authorization)
Step 4: Company Website processes the received XML data and
returns
a
Response with a URL to launch on the Client Machine
Step 5: Communication Server returns the data to the Client and
launches
a
browser with the URL (Page to a Company Website) from the XML
reponse
Step 6: At this point the Client is required to Login (due to
Novell
iChain
security on the Company Website)

For ease of use, our company would prefer to not have the user
enter
the
UserName and Password, but still be able to launch the URL and
pass
the
credentials.

Any response would be very much appreciated













.

Relevant Pages

  • Re: deleting cookies and local browser time versus server time
    ... Our server ... is in a different time zone than the browser I'm developing on. ... How can I test cookie expiration with that? ...
    (comp.lang.php)
  • Re: Bypass Authentication
    ... Joe Kaplan-MS MVP Directory Services Programming ... authentication cookie back to the Server at Location 3 from Location 1. ... the Third Party application to use this program to launch the browser. ... Assuming that the server at location 3 requires a cookie to be sent to it ...
    (microsoft.public.dotnet.security)
  • Re: Bypass Authentication
    ... Set-Cookie get established on the Client upon a Successful logon. ... planning on capturing the cookie on Location 3. ... Upon Launching the browser ... "Joe Kaplan" wrote: ...
    (microsoft.public.dotnet.security)
  • Re: password questions
    ... What's usually done in the PHP world is that the first time a browser ... goes to a site, it has no cookie, and says so when asked for one. ... server then asks for username and password, ... A cracker makes a request, trying to masquerade as the authenticated ...
    (comp.lang.java.programmer)
  • Re: Bypass Authentication
    ... "Joe Kaplan" wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... understand what kind of information that the encrypted cookie has. ... be sent by the browser to authenticate the user? ...
    (microsoft.public.dotnet.security)