[Owasp-austin] Question to the app security smartypants (plural)

Dan Cornell dan at denimgroup.com
Tue Nov 6 08:35:34 EST 2007


> What's the "industry standard" secure ways of doing this?  I have
> programmers talking about all kinds of crazy solutions; spoofing
> setting of
> cookies, puting junk in URLs, etc.  I'm not sure what the canonical
> solution is...
> 

Something we have done in the past that may or may not work for you is
to create a hand-off form post containing a set of key/value pairs with
the info you want to transfer.  We also include a timestamp and did some
other stuff to increase randomness.  This post data was encrypted by the
sending site by an AES key shared between the sender and the receiver.
The receiver web site receives the POST, unpacks and decrypts the data
and then makes a decision about whether they want to honor the
authentication and what permissions the user should have on the system.

So on the Sender site you would have a FORM like this:

<FORM action='http://destination/receiver.jsp'>
    <input type='hidden' name='userinfo' value='(Encrypted stuff here)'
/>
    <input type='submit' />
</FORM>

The user on the Sender site clicks the Submit button and is taken to the
destination site.  The destination site decrypts the "userinfo" field to
find:

User=dcornell
Timestamp=x:y:z
And so on...

This accomplished similar stuff to SAML but was a little simpler and
lighter weight.  It has the "disadvantage" of not being WS-Whatever
standards based but worked well for us given the situation's
requirements.  The sender and receiver have to manage their AES keys
through a different channel, but using that as a shared secret to
"federate" the authentication worked for our purposes.  There was a
little bit more to it than this, but hopefully this gives you the basic
idea.

Thanks,

Dan


More information about the Owasp-austin mailing list