Re: Bypass Authentication
- From: Enthu <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 6 Oct 2008 06:29:02 -0700
Ok, The second point is what concerns me and was not sure about and this is
what I need more information on....
During the initial authentication from Comm Server to Location 3 a
Set-Cookie get established on the Client upon a Successful logon. I was
planning on capturing the cookie on Location 3. Upon Launching the browser
on the Client (with a page), I was planning on doing a set cookie to the
client with the cookie that was captured earlier.
My worry was what kind of information does the cookie has on the Set Cookie
on a successful Logon, does it do any IP or Machine Name check on subsequent
navigation?
"Joe Kaplan" wrote:
The first two things you need to understand clearly are:.
- Does the destination server in "location 3" require a specific cookie to
be sent by the browser to authenticate the user?
- Is it possible to capture that cookie from somewhere else and send it
from a different source location?
For the second question, it may be the case that there is a cookie, but it
encodes information about the source IP address in it to help prevent replay
attacks and thus you could not use it successfully from a different source
IP.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0CDC83E7-A42A-4F1D-A79B-280839B5A4AE@xxxxxxxxxxxxxxxx
Please let me know what kind of information you need to make a
determination
on this. I am not trying to be painful here, want to make sure that I
give
you the right information.
"Joe Kaplan" wrote:
I believe it is possible but I definitely can't help with the details
until
you get some more details as to how the system actually is going to work.
I
don't think we know enough yet to confirm whether it can actually be made
to
work.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E30C3250-A32E-451B-AE23-A05D23008F88@xxxxxxxxxxxxxxxx
I believe we are on the same page now...
1) Yes I believe the issue can be resolved if we are able to pass the
authentication cookie back to the Server at Location 3 from Location 1.
2) I am not sure how it is done exactly, as it is done by the Third
Party
application.
3) If I write a .NET program, which accepts the URL, cookie(Id), which
in
turn creates a cookie on the client and launch the browser, and provide
it
to
the Third Party application to use this program to launch the browser.
Do you believe that there is a possibility that the above would work?
Thank you for taking time in working this through with me.
"Joe Kaplan" wrote:
It depends on details that I don't know and would have no way of
knowing.
Assuming that the server at location 3 requires a cookie to be sent to
it
to
provide authentication information, you need to find a way to get the
browser to send that cookie. Normally, browsers send cookies as a
result
of
a server sending them a Set-Cookie response header or by having a file
based
cookie already on the local client that the browser would then send.
I have no idea:
- if you need a cookie here (because you don't seem to know yet)
- how you are launching the browser
- how you would get the browser to send a cookie in the request
(assuming
you actually need a cookie in the first place)
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F472507E-A5D9-4743-80BC-BDCEC01534E9@xxxxxxxxxxxxxxxx
Sorry for repeatedly asking this....
Would the below is possible if we are dealing with 2 different
locations/network.
Client Comm Server
Company
Web/Auth Server
(Location 1) (Location 2)
(Location 3)
First Authorization/Communication occurs between Location 2 and
Location
3,
the subsequent Browser Launching Occurs in Location 1 (to Location
3),
here
Location 1 need to use the auth information from Location 2.
Once again, Thank you very much for your patience and the response.
"Joe Kaplan" wrote:
Basically, if you have a web client of some sort that provides some
authentication data and receives a cookie back that can be used for
subsequent authentication, then it is likely that you can capture
the
cookie
returned from the server and use that in a different request.
The actual mechanics of this will vary, but to give you an example,
if
you
program with .NET HttpWebRequest and HttpWebResponse, you have
access
to
Cookies collections that contain the cookies the server sends to
the
client
and cookies the client sends to the server.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DA5C83B5-9548-4DEE-B1A2-3D66703F12ED@xxxxxxxxxxxxxxxx
Thank you for responding, I will try that as well.
All Novell does is LDAP verification, but the Auth Session/Cookie
that
gets
established on the Client is what I would like to re-use, but
they
are
not
different network.
From the browser stand point would it be possible to launch a
brower
with
the Auth Session/Cookie that got established from a different
machine/client.
If so, can you please give me some details.
Thank you in advance.
"Joe Kaplan" wrote:
It really seems like you should be asking this on a forum that
has
more
information regarding how the Novell system works here. There
may
be
a
cookie or other session token related to this that you can
reuse,
but
if
the
authentication method is proprietary, you need to find out those
proprietary
details.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Enthu" <Enthu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FDFAE179-7AF0-450D-9264-1BAAEE5B5E8D@xxxxxxxxxxxxxxxx
One of the thought we have is...
Is there were a way that the Session/Auth Cookie that got
established
on
Step 3 be copied or created on the Client Machine (Step 5) and
get
used
in
(Step 6 - to bypass authentication) .
"Enthu" wrote:
I have a security question and would like to see if there are
any
options
to
overcome this issue. Please read below for the sequence of
process
that
is
occurring and the issue that I am having...
Step 1: Client Machine sends XML data to an external
Communication
Server
Step 2: Communication Server reformats the XML data received
from
the
Client
Machine
Step 3: Communication Server then Posts (SSL) the reformatted
XML
with
a
Userid and Password to a company website (which uses Novell
iChain
for
authorization)
Step 4: Company Website processes the received XML data and
returns
a
Response with a URL to launch on the Client Machine
Step 5: Communication Server returns the data to the Client
and
launches
a
browser with the URL (Page to a Company Website) from the XML
reponse
Step 6: At this point the Client is required to Login (due to
Novell
iChain
security on the Company Website)
For ease of use, our company would prefer to not have the
user
enter
the
UserName and Password, but still be able to launch the URL
and
pass
the
credentials.
Any response would be very much appreciated
- Follow-Ups:
- Re: Bypass Authentication
- From: Joe Kaplan
- Re: Bypass Authentication
- References:
- Bypass Authentication
- From: Enthu
- RE: Bypass Authentication
- From: Enthu
- Re: Bypass Authentication
- From: Joe Kaplan
- Re: Bypass Authentication
- From: Enthu
- Re: Bypass Authentication
- From: Joe Kaplan
- Re: Bypass Authentication
- From: Enthu
- Re: Bypass Authentication
- From: Joe Kaplan
- Re: Bypass Authentication
- From: Enthu
- Re: Bypass Authentication
- From: Joe Kaplan
- Re: Bypass Authentication
- From: Enthu
- Re: Bypass Authentication
- From: Joe Kaplan
- Bypass Authentication
- Prev by Date: Re: Bypass Authentication
- Next by Date: Re: Bypass Authentication
- Previous by thread: Re: Bypass Authentication
- Next by thread: Re: Bypass Authentication
- Index(es):
Relevant Pages
|
