Skip to main content Skip to navigation

Web Sign On

Web Sign On Intention to remove: WarwickSSO cookie for non-HTTPS servers

You need to be logged in to post in this topic.
  1. It is our intention to add the secure flag to the WarwickSSO cookie that's scoped over .warwick.ac.uk. This would mean that if you were accessing a page over HTTP (e.g. http://myserver.warwick.ac.uk) modern browsers would not send the WarwickSSO cookie so it would not be possible to use this for authentication.

    Please let us know if this would cause a problem for your services. Unless we receive a request to delay, it is our intention to start setting the secure flag from Monday 3rd December 2018.

    Update (26/11/18): This change has now been rescheduled for Monday 15th April 2019

     
  2. Could you please provide a little more information about what impact you think your change might have? Is this adding functionality to make things work better, or tightening a loophole that could potentially prevent existing warwick servers being accessed in some way, either internally or externally? For example, I believe all our LAMP Servers are given a *.lnx.warwick.ac.uk address, and some of those also use the WarwickSSO cookie as part of validation from SiteBuilder. Will this be affected?

     
  3. Adding the secure flag to a cookie when it sent from the server to the client instructs the client to only send the cookie back with requests over a secure connection. The flow looks something like this:

    The reason for adding this flag is to prevent it being sent to any URL starting http:// to a domain ending .warwick.ac.uk. This is because the traffic could be easily sniffed by someone on the same network in order to steal someone's WarwickSSO cookie, which could then be used to impersonate that user.

    Requests that are sent using Sitebuilder content feed pages will be unaffected if they are accessing a URL starting https://.

     
  4. Following discussion with various impacted parties, this change has now been delayed until Monday 15th April 2019.