[Systers-dev] Fwd: cookies and sessions

Malveeka Tewari malveeka at gmail.com
Sat Jun 13 07:10:54 PDT 2009 

This is a more detailed mail about the use of cookies and sessions for
enabling Single Sign On. I am planning to continue with mailman presently
but I think we should keep this approach too at the back of our minds.

Thanks
Malveeka

---------- Forwarded message ----------
From: SitG Admin <sysadmin at shadowsinthegarden.com>
Date: Tue, Jun 9, 2009 at 5:46 PM
Subject: Re: cookies and sessions
To: Malveeka Tewari <malveeka at gmail.com>


How would the administrator enable the cookie for users accounts?
> I mean how do I save the cookies from session of one application and use it
> for the other?
>

Cookies are not application-specific. Cookies are text files sent by the
server to the user's browser, with a specified domain. All further requests
by the browser to that domain should be accompanied by the cookie values.
This enables an inherently stateless mode (browser sending intermittent
requests to server, receiving responses) to act as a stateful mode by
remembering data about the user between visits.

If you try to set the user's session ID in one application, while already
having it set from another application, and that value has the same variable
name, will it be overwritten, causing the user to lose their session with
the first application? Good session managers will read the user's cookie and
use that (previously set) ID.

If all your applications are on the same server, using the same cookies
should be straightforward: the server will keep all its session data in the
same place. If you are hosting applications on different servers, you may
want to use one of the database session managers, host that on one of the
servers, and teach all your applications to contact it across the network
when needing sessions.

What you need to do is look inside each application and find out "HOW does
this tell the difference between a user that has already logged in and a
user that has not yet logged in?". Once you know this, it will be simple to
change that code to "if the session data includes 'authenticated=TRUE'", and
in each of those applications, change the code for "do whatever we would
normally do to mark the user as logged in" to "set 'authenticated' to TRUE".

When this is done, each of your applications will make a single change to
your server's stored session data, and each of them will look for that
single change to determine whether the user is logged in.

Just remember basic security: the content of cookies issued to the USER must
have only the session ID, *not* their username and login status, because it
is trivial to discover the content of cookies (remember, these are just
*plain text files* stored by the user's browser), and attackers could easily
edit their cookies to present a chosen username and appropriate "Hey, look
at me, I'm logged in!" status, tricking your server into accepting that
claim. Keep track of all that data on YOUR end.

-Shade

More information about the Systers-dev mailing list