This week's book giveaway is in the Android forum.
We're giving away four copies of Head First Android and have Dawn & David Griffiths on-line!
See this thread for details.
The moose likes JForum and the fly likes SSO is secure ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Head First Android this week in the Android forum!
JavaRanch » Java Forums » Products » JForum
Bookmark "SSO is secure ?" Watch "SSO is secure ?" New topic

SSO is secure ?

Migrated From
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
This link writes about SSO but

2 Cookie cookie = new Cookie("JforumSSO", user.getUsername());
3 cookie.setMaxAge(-1) // session cookie, or set to positive number.
4 response.addCookie( cookie );

Everybody can make fake cookie to enter website as someone others account.
Maybe I'm wrong for that but as far as i know hotmail has had a security hole like that too before...
When user clicks on some link on hotmail window , attacker access his account for free
There is no security for that ? :roll:

By the way , i m using for sso
[originally posted on by kadirbasol]
Migrated From
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Good security point. But was meant as a simple example of how to write your own SSO Cookie based implementation and not how to create a secure cookie. SSO implementators need to consider what level of security they need to build in.

For example, the value of the cookie should be some sort of encrypted string that identifies the specific PC and user. This means that even if someone "hijacks" your cookie, they can't use it.

Of course, if you need high security, you should be using SSL with Cookies as well.
[originally posted on by monroe]
Migrated From
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
When i set Cookie from my outside jsp application

Redirect user to jforum will create new username "JDuke" if user doesnt exists.
Also with default password on sso and default mail.Right ?
if user already exists , he will login as JDuke.
As i understood sso ...

Here is my CookieUserSSO :

[originally posted on by kadirbasol]
I agree. Here's the link:
subject: SSO is secure ?
jQuery in Action, 3rd edition