wood burning stoves 2.0*
The moose likes JForum and the fly likes SSO using query string instead of cookie. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » JForum
Bookmark "SSO using query string instead of cookie." Watch "SSO using query string instead of cookie." New topic
Author

SSO using query string instead of cookie.

Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Since I have had some problems getting cookies to work properly on my website and since I do not want to force my users to have to turn cookies "on", I am trying to use a query string instead of a cookie, as follows:

1. I set authentication.type=sso
2. I set sso.implementation=net.jforum.sso.mySSOAuthentication
3. I initiate Jforum by linking to
http://.../jforum/forum.page&module=forums&action=list&ID=123456

In net.jforum.sso.mySSOAuthentication's authenicateUser() and isSessionValid() methods, I use the following to get the value of ID:

String ID = request.getParameter("ID");

ID is a randomly generated session number in the application that initiates Jforum. I use it to get the user ID, password, etc. from my application's database and then invalidate it before initiating Jforum.

This works great, but I am having something that looks like caching problems. For example, when I log into my application and initiate Jforum as above, everything is OK. Then, without taking my browser down, I logout of my application and log back in as a different user. When I then initiate Jforum, the previous user is still logged into Jforum. My mySSOAuthenication's methods are not called by the second initiation of Jforum. In the real world, this may not be a big problem, because multiple users will not usually log in from the same PC, but the security hole exists.

1) If I get this to work, what holes do any of you see in it?

2) Any ideas about my potential caching problem.

Thanks,

Danny
[originally posted on jforum.net by dhhoyle]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
The RemoteUserSSO.isSessionValid code has the logic your SSO code will need to keep this from happening.

Basically, it checks to see if the information on the request matches the information about the user in the jforum userSession object and does the right thing depending if they match or not (or is the anonymous user).

Your code should do the same sort of logic.
[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Monroe,

I admit that I essentially copied/plagiarized parts of RemoteUserSSO, leaving out parts that I did not understand. I must now take your suggestion.

Thanks,

Danny
[originally posted on jforum.net by dhhoyle]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
It now works like a charm.

Monroe, thanks again,

Danny

ps: For those with interest, the code that I left out was in the isSessionValid() method in RemoteUserSSO. The correct way for my application was to replace

String remoteUser = request.getRemoteUser();

with my code and leave the rest of the method in place.
[originally posted on jforum.net by dhhoyle]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: SSO using query string instead of cookie.
 
Similar Threads
RemoteSSO?
Jforum SSO - restrict direct forum access => redirect to login page if not loged in please help!!!
Using JForum SSO - a kludger's tale
SSO with JForum
SSO /redirect / anonymous users