CPIP/GCF and handling cookies with the remote_host or remote_addr value encoded in it
Tue, 2008-01-15 16:58 — villiam
We have just written generic CPIP connectors for most of our web based resources. Recently I have encountered a number of applications that are storing the value of the remote_host or remote_addr in the cookie and then encrypting it to help deter cookie hijacking.
This causes me a problem as the IP/HOST information presented to the remote server is my CPIP server and not the user's machine. So that when my CPIP servlet consumes the cookie and passes it on to the user prior to redirection the user does not get to use the remote site as their cookie is not valid.
Have any of you encountered this issue, if so what have you done to deal with it?
- villiam's blog
- Login or register to post comments
Hack Your Knowledge
Recent blog posts
- Updated to 4.1.22 - Complications
- Time Estimate for Luminis Platform IV Upgrade
- Luminis IV Memory Configuration
- CPIP Novice Looking for HELP!
- Targeted Announcement Permissions and Grants
- Associated Press OSTN Video News Portlet/Channel
- EAS credentials not the same as luminis credentials
- Lumiins start up issues
- Messaging Server Configuration
- User Attributes from Banner
Developer Links
Poll
If there were a Luminis Developers Conference, would you prefer it in -
early spring
14%
late spring
15%
early summer
29%
late summer
8%
early fall
9%
late fall
14%
early winter
8%
late winter
3%
Total votes: 185
Syndicate
Comments
MD5 perhaps?
This is probably outside of the scope of the GCF configuration, but using a CPIP connector (yuck) you can duplicate the method used for hashing the REMOTE_HOST / REMOTE_ADDR. For example, if its something as simple as an MD5, using Java, pull in the library, and encode the IP address of the client browser, then overwrite that to the cookie after its set, but before its passed back.
If it is some type of proprietary encryption, unless you can figure out the scheme used to generate the string, you are probably out of luck with SSO. The variable would remain set to the IP address of the Jakarta web engine, which will be the IP address of the Luminis server.
But start with MD5...
Thanks
It is proprietary I suppose. Fortunately the two systems are open source tools (pubcookie and websieve) so I have access to their code and could rework the cookie if the mail administrator would supply me his secret phrase for encrypting the cookies. However at this point if possible (although looking less and less likely) I wish to avoid doing this.