WebISO: the killer kerberos app?
Christopher Kranz
clk at princeton.edu
Fri Mar 12 20:10:25 EST 2004
Russ Allbery <rra at stanford.edu> wrote in message news:<87u11268rg.fsf at windlord.stanford.edu>...
[snip]
>
> The application server then receives and decodes that authenticator,
> validates it, and then creates a cookie containing a more persistant
> authenticator just for that service. That cookie is, however, now that
> user's identifier with respect to that service, and if someone steals that
> cookie, they could masquerade as the user to that service, so the cookie
> has to be protected. Hence SSL.
>
[snip]
>
> It turns out, though, that this doesn't work because it would allow people
> to steal the authenticator, particularly the persistant authenticator that
> lives in the cookie.
Firstly, thanks for your patience. Secondly, I now understand what I
was missing. I could not figure out why you bothered to create the
persistent cookie to begin with. I mean you had a perfectly good
Kerberos authenticator already, why build another? Then it hit me,
HTTP is stateless. There are no persistent connections. Doh.
Kerberos kind of has built into it the assumption that the once the
session is established the same network connection will be used for
the life of the session. HTTP sessions are made up of many, many
connections. Going back to the login server each time for a new
authenticator just does not make any sense.
Thanks again for your help.
Christopher Kranz
clk at princeton.edu
More information about the Kerberos
mailing list