validating ticket content

[David Wilson]

Hello,

Through my testing I've found the signature is validated. But the rest of the content is not. For example, I am able to modify the udata field and still get access.

I would like to use this module to authenticate and authorize.

Please instruct me what I'm missing perhaps or if this is a known limitation.



 

[Matthew Haynes]

Hi,

That doesn't sound correct. Been a while since I used this project but the udata and all the other fields are encrypted to make the ticket, so modifying anything should invalidate the it.

How do you generate the cookie / tickets? Here is how did when I used the project (*) ...

https://github.com/matth/mod_auth_pubtkt_rb/blob/master/lib/mod_auth_pubtkt.rb

On line 52 you can see sig is the encrypted version of the ticket, so you should not be able to modify anything in there. The apache module should do the verification to ensure this.

(*) still think this is a create lightweight way to do SSO, just no longer need it!

Thanks,

Matt

--

---
You received this message because you are subscribed to the Google Groups "mod_auth_pubtkt users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod_auth_pubtkt-users+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[John Wittkoski]

David,

I have not seen the behavior you mentioned. When I modify any part of the cookie the signature validation fails and I am redirected to the login page.

    --John

To unsubscribe from this group and stop receiving emails from it, send an email to mod_auth_pubtkt-users+unsubscri...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.