Web Sign On Intention to remove: WarwickSSO cookie for non-HTTPS servers

4 posts 3 followers RSS feed

1. Mathew Mannion

   #1 15:44, Fri 16 Nov 2018 (edited 14:21, Mon 26 Nov 2018)

   It is our intention to add the secure flag to the WarwickSSO cookie that's scoped over .warwick.ac.uk. This would mean that if you were accessing a page over HTTP (e.g. http://myserver.warwick.ac.uk) modern browsers would not send the WarwickSSO cookie so it would not be possible to use this for authentication.

   Please let us know if this would cause a problem for your services. Unless we receive a request to delay, it is our intention to start setting the secure flag from Monday 3rd December 2018.

   Update (26/11/18): This change has now been rescheduled for Monday 15th April 2019

   1 like
    
2. Andrew Smith Staff Information & Digital

   #2 16:04, Fri 16 Nov 2018 (edited 16:04, Fri 16 Nov 2018)

   Could you please provide a little more information about what impact you think your change might have? Is this adding functionality to make things work better, or tightening a loophole that could potentially prevent existing warwick servers being accessed in some way, either internally or externally? For example, I believe all our LAMP Servers are given a *.lnx.warwick.ac.uk address, and some of those also use the WarwickSSO cookie as part of validation from SiteBuilder. Will this be affected?

   0 likes
    
3. Mathew Mannion

   #3 16:24, Fri 16 Nov 2018

   Adding the secure flag to a cookie when it sent from the server to the client instructs the client to only send the cookie back with requests over a secure connection. The flow looks something like this:

   • User signs in at https://websignon.warwick.ac.uk/origin/hs
   • https://websignon.warwick.ac.uk sends back a cookie, WarwickSSO=abcdef123456; domain=".warwick.ac.uk"; secure. The client's browser stores this cookie
   • Upon any subsequent request to https://...warwick.ac.uk/anything, the client's browser sends a header Cookie: WarwickSSO=abcdef123456

   The reason for adding this flag is to prevent it being sent to any URL starting http:// to a domain ending .warwick.ac.uk. This is because the traffic could be easily sniffed by someone on the same network in order to steal someone's WarwickSSO cookie, which could then be used to impersonate that user.

   Requests that are sent using Sitebuilder content feed pages will be unaffected if they are accessing a URL starting https://.

   0 likes
    
4. Mathew Mannion

   #4 14:19, Mon 26 Nov 2018

   Following discussion with various impacted parties, this change has now been delayed until Monday 15th April 2019.

   0 likes