Win a copy of Transfer Learning for Natural Language Processing (MEAP) this week in the Artificial Intelligence and Machine Learning forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Paul Clapham
  • Devaka Cooray
  • Bear Bibeault
Sheriffs:
  • Junilu Lacar
  • Knute Snortum
  • Liutauras Vilda
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Piet Souris
Bartenders:
  • salvin francis
  • Carey Brown
  • Frits Walraven

SSO is secure ?

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
http://www.jforum.net/doc/SSOCookies
This link writes about SSO but

2 Cookie cookie = new Cookie("JforumSSO", user.getUsername());
3 cookie.setMaxAge(-1) // session cookie, or set to positive number.
4 response.addCookie( cookie );


Everybody can make fake cookie to enter website as someone others account.
Maybe I'm wrong for that but as far as i know hotmail has had a security hole like that too before...
When user clicks on some link on hotmail window , attacker access his account for free
There is no security for that ? :roll:

By the way , i m using
SSOCookies.java for sso
[originally posted on jforum.net by kadirbasol]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Good security point. But was meant as a simple example of how to write your own SSO Cookie based implementation and not how to create a secure cookie. SSO implementators need to consider what level of security they need to build in.

For example, the value of the cookie should be some sort of encrypted string that identifies the specific PC and user. This means that even if someone "hijacks" your cookie, they can't use it.

Of course, if you need high security, you should be using SSL with Cookies as well.
[originally posted on jforum.net by monroe]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When i set Cookie from my outside jsp application


Redirect user to jforum will create new username "JDuke" if user doesnt exists.
Also with default password on sso and default mail.Right ?
if user already exists , he will login as JDuke.
As i understood sso ...

Here is my CookieUserSSO :

[originally posted on jforum.net by kadirbasol]
 
Pay attention! Tiny ad!
Two software engineers solve most of the world's problems in one K&R sized book
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
    Bookmark Topic Watch Topic
  • New Topic