tags:

views:

123

answers:

3
+9  Q: 

Single sign on cookie removed by anti spyware software

We have a single sign on implementation for a family of websites where the authentication cookie comes from the root domain (e.g. bar.com), allowing them to be logged into a child domain (e.g. foo.bar.com). The implementation is in C# using standard .net forms authentication.

Unfortunately, some of our users are having their authentication cookies deleted by anti spyware software. I've been able to recreate this situation by using PC Tools Anti Spyware and IE8.

The practical upshot is that users log into the site, navigate to another page, and then get asked to log in again.

The cookie is flagged as a low risk tracking cookie by the anti spyware software.

Is there any way to make the cookie more palatable to the apparently rather picky tastes of our user's anti spyware software?

Update:

I've looked into the leading "." issue and it's a red herring. IE Doesn't care and, as I found out via this post, the RFC 2965 Specification requires that implementors supply a leading dot.

Further reading led me to the article "Privacy alert: Cookie variants can be used to skirt blockers, anti-spyware tools". Essentially, many websites are using subdomains as a way hide tracking cookies.

It looks like some anti-spyware software will respect P3P (Platform for Privacy Preferences) declarations on the parent domain. Unfortunately, due to lack of support from browser implementors, work has been suspended on P3P.

At this stage I think the solution to the problem will be as one user suggested: the subdomain will need to create its own authentication cookie.

+2  A: 

You could check that your auth cookie is using the domain .bar.com which should work at www.bar.com, foo.bar.com, etc.bar.com.

This exact behavior is up to the browser but this is the common practice to allow the same cookie across multiple sub-domains. Note that if your auth cookie originally set www.bar.com then a good browser should reject it for foo.bar.com but not for foo.www.bar.com

Am I making any sense? :-)

Update: Looks like you can override the domain in the <forms section of your Web.config, here's a link. I'd start there.

Cory Charlton  2010-02-16 23:51:16
I'm afraid that we are currently using _.bar.com_ using the technique outlined in the useful link that you've provided.
aboy021  2010-02-17 00:36:37
@aboy021: I was afraid of that. If this is the case then I'm not sure what you can do to overcome an anti-spyware software that is choosing to ignore standards. You could try duplicating the cookie on multiple, specific domains, but I assume the anti-spyware will also complain you are creating cookies for a different domain than the one the user is currently accessing. Best of luck figuring this out.
Cory Charlton  2010-02-17 00:55:38
+1  A: 

You may examine default transports in SAML SSO protocol specifications to have more ideas. Archive with all docs is here http://docs.oasis-open.org/security/saml/v2.0/saml-2.0-os.zip look into "Assertions and protocols" for protocol description and "Bindings" for possible transports (in particular at redirect and POST).

Common idea there is to somehow query SSO server if current user is authenticated and then cache that status with own cookie. This way every application sets only cookies on own domain.

Petr Gladkikh  2010-02-17 08:20:55
I think that this approach will certainly work. For now I'm going to see if I can get the cookie to be in a form that the anti spyware software finds acceptable.
aboy021  2010-02-17 19:37:46
+1  A: 

I built a system like this. There is one domain that does the login (auth site). If the login is successful it redirects the user from the auth site to the site that initiated the login with a one off token. Then that site sets its own cookie and bobs your uncle. When you logout you have to go directly to the auth site which deletes the cookie as part of the redirect back to the site. Your site then deletes its own cookie. Hahaha hope that makes sense!

Jake Scott  2010-02-17 21:32:52
Unfortunately, we'd still like to maintain the single sign on capability, so if they log into `bar.com` they are effectively logged into `foo.bar.com` and `cat.bar.com`. I think with a one time token we'd lose that.Based on the tests I've been doing, the parent domain cookie only gets deleted after a few seconds, so we should be able to use this as a one time token for the affected users.
aboy021  2010-02-17 22:07:22
.. So your logged into foo.bar.com. You go to cat.bar.com the server notices that your not logged into cat so it redirects you back to foo.bar.com which knows you are logged in so generates a token and sends you back to cat.bar.com which logs you in. If you were not logged in to foo.bar.com it sends you back to cat with a different token saying that your not logged in so don't try and auto authenticate me. That could work?
Jake Scott  2010-02-18 03:42:33

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?