Pubcookie
Encyclopedia
Pubcookie is a protocol and a software package for providing single sign-on
within web application
s and website
s of an organization. An untrusted web application authenticates the end user against a trusted authentication server via a trusted login server. The Pubcookie software is open source
and licensed under the Apache License
. Pubcookie was initially developed at the University of Washington
in 1998.
equipped with a Pubcookie module. When an unauthenticated end user attempts to access the web application, the module sets two cookie
s (pre-session cookie and granting request) and redirects the user to a Pubcookie login server. The granting request cookie is scoped so that it reaches the login server. It contains information about the application, requested resource and desired authentication service.
The login server now presents a login page, allowing the user to present a username and a password or some other kind of credentials. The login server forwards the information presented by the user to an authentication server. If the login server receives a response indication success, it sets two cookies (login cookie and granting cookie) and redirects the user back to the web application. The granting cookie is scoped to reach the web application server, whose Pubcookie module uses the contents of the pre-session cookie and the granting cookie to generate the final session cookie.
If the user needs to access another web application, the login server receives the login cookie and provides the granting cookie without presenting a login page. Notice that the web applications never receive the password (or some other secret) the user uses to authenticate.
The cookies the login server and the web applications exchange are encrypted using symmetric encryption to prevent eavesdropping. The granting cookie is digitally signed
to prevent tampering. The cookies carry a timestamp to prevent replay attack
s.
s are typically configured to disallow third-party cookies or cookies scoped to multiple domain name
s. Since organizations rarely share domain names, Pubcookie is effectively limited to intra-organizational use.
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
within web application
Web application
A web application is an application that is accessed over a network such as the Internet or an intranet. The term may also mean a computer software application that is coded in a browser-supported language and reliant on a common web browser to render the application executable.Web applications are...
s and website
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
s of an organization. An untrusted web application authenticates the end user against a trusted authentication server via a trusted login server. The Pubcookie software is open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
and licensed under the Apache License
Apache License
The Apache License is a copyfree free software license authored by the Apache Software Foundation . The Apache License requires preservation of the copyright notice and disclaimer....
. Pubcookie was initially developed at the University of Washington
University of Washington
University of Washington is a public research university, founded in 1861 in Seattle, Washington, United States. The UW is the largest university in the Northwest and the oldest public university on the West Coast. The university has three campuses, with its largest campus in the University...
in 1998.
Authentication process
The web application is installed on a web serverWeb server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
equipped with a Pubcookie module. When an unauthenticated end user attempts to access the web application, the module sets two cookie
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
s (pre-session cookie and granting request) and redirects the user to a Pubcookie login server. The granting request cookie is scoped so that it reaches the login server. It contains information about the application, requested resource and desired authentication service.
The login server now presents a login page, allowing the user to present a username and a password or some other kind of credentials. The login server forwards the information presented by the user to an authentication server. If the login server receives a response indication success, it sets two cookies (login cookie and granting cookie) and redirects the user back to the web application. The granting cookie is scoped to reach the web application server, whose Pubcookie module uses the contents of the pre-session cookie and the granting cookie to generate the final session cookie.
If the user needs to access another web application, the login server receives the login cookie and provides the granting cookie without presenting a login page. Notice that the web applications never receive the password (or some other secret) the user uses to authenticate.
The cookies the login server and the web applications exchange are encrypted using symmetric encryption to prevent eavesdropping. The granting cookie is digitally signed
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
to prevent tampering. The cookies carry a timestamp to prevent replay attack
Replay attack
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet...
s.
Limitations
Web browserWeb browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
s are typically configured to disallow third-party cookies or cookies scoped to multiple domain name
Domain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
s. Since organizations rarely share domain names, Pubcookie is effectively limited to intra-organizational use.
See also
- CoSign single sign onCoSign single sign onCosign is an open source project originally designed by the Research Systems Unix Group to provide the University of Michigan with a secure single sign-on web authentication system....
— open source web single sign-on, originally developed at the University of Michigan - Central Authentication ServiceCentral Authentication ServiceThe Central Authentication Service is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials only once. It also allows web applications to authenticate users without gaining access to a user's security credentials,...
— another open source single sign-on protocol, originally developed at Yale - Shibboleth (Internet2)Shibboleth (Internet2)Shibboleth is an Internet2 project that has created an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on Security Assertion Markup Language . Federated identity allows for information about users in one security domain...
-- “The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries.” - Stanford WebAuth
- University of Minnesota CookieAuth