[Owasp-austin] Question to the app security smartypants (plural)

Michael_Craigue at Dell.com Michael_Craigue at Dell.com
Fri Nov 2 09:07:34 EDT 2007


Hi Ernest,

Just a few thoughts to get the conversation started:

You might look into this article on SAML 2.0
(http://en.wikipedia.org/wiki/SAML) for some ideas.

You might also want to consider different ways to handle the various
affiliated sites, depending on the level of security your users require, and
taking into account the level of trust you place in those affiliated sites. 

For example, you're going to be a lot more careful if the transactions might
involve payment data, but handing off just for the sake of some
personalization at the next site would demand a lot less.

-Mike

-----Original Message-----
From: owasp-austin-bounces at lists.owasp.org
[mailto:owasp-austin-bounces at lists.owasp.org] On Behalf Of Ernest Mueller
Sent: Thursday, November 01, 2007 3:34 PM
To: owasp-austin
Subject: [Owasp-austin] Question to the app security smartypants (plural)


I thought I'd use this list for a little discussion to get people's juices
flowing!

So, question.  I have a Web site that needs to integrate its custom login
procedures with various ASPs - in other words, we have a Web site login.
As we "outsource" parts of our Web site, we want users to be able to log in
and go to site sections really hosted on ASPs and be "logged in".

What's the "industry standard" secure ways of doing this?  I have
programmers talking about all kinds of crazy solutions; spoofing setting of
cookies, puting junk in URLs, etc.  I'm not sure what the canonical
solution is...

   Assume that the site and the ASP have different but fairly-standard
   login schemes (set a cookie, etc.)
   Assume that it could be the first time the ASP's heard of the user; the
   site doesn't pump all its user data to each partner proactively (meaning
   some data transfer needs to take place at the time).

Thoughts?

Thanks,
Ernest
______________________
UN-altered REPRODUCTION and DISSEMINATION of
this IMPORTANT information is ENCOURAGED.

_______________________________________________
Owasp-austin mailing list
Owasp-austin at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-austin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3092 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-austin/attachments/20071102/beaffc2d/attachment.bin 


More information about the Owasp-austin mailing list