views:

123

answers:

3

We have a single sign on implementation for a family of websites where the authentication cookie comes from the root domain (e.g. bar.com), allowing them to be logged into a child domain (e.g. foo.bar.com). The implementation is in C# using standard .net forms authentication.

Unfortunately, some of our users are having their authentication cookies deleted by anti spyware software. I've been able to recreate this situation by using PC Tools Anti Spyware and IE8.

The practical upshot is that users log into the site, navigate to another page, and then get asked to log in again.

The cookie is flagged as a low risk tracking cookie by the anti spyware software.

Is there any way to make the cookie more palatable to the apparently rather picky tastes of our user's anti spyware software?

Update:

I've looked into the leading "." issue and it's a red herring. IE Doesn't care and, as I found out via this post, the RFC 2965 Specification requires that implementors supply a leading dot.

Further reading led me to the article "Privacy alert: Cookie variants can be used to skirt blockers, anti-spyware tools". Essentially, many websites are using subdomains as a way hide tracking cookies.

It looks like some anti-spyware software will respect P3P (Platform for Privacy Preferences) declarations on the parent domain. Unfortunately, due to lack of support from browser implementors, work has been suspended on P3P.

At this stage I think the solution to the problem will be as one user suggested: the subdomain will need to create its own authentication cookie.

+2  A: 

You could check that your auth cookie is using the domain .bar.com which should work at www.bar.com, foo.bar.com, etc.bar.com.

This exact behavior is up to the browser but this is the common practice to allow the same cookie across multiple sub-domains. Note that if your auth cookie originally set www.bar.com then a good browser should reject it for foo.bar.com but not for foo.www.bar.com

Am I making any sense? :-)

Update: Looks like you can override the domain in the <forms section of your Web.config, here's a link. I'd start there.

Cory Charlton
I'm afraid that we are currently using _.bar.com_ using the technique outlined in the useful link that you've provided.
aboy021
@aboy021: I was afraid of that. If this is the case then I'm not sure what you can do to overcome an anti-spyware software that is choosing to ignore standards. You could try duplicating the cookie on multiple, specific domains, but I assume the anti-spyware will also complain you are creating cookies for a different domain than the one the user is currently accessing. Best of luck figuring this out.
Cory Charlton
+1  A: 

You may examine default transports in SAML SSO protocol specifications to have more ideas. Archive with all docs is here http://docs.oasis-open.org/security/saml/v2.0/saml-2.0-os.zip look into "Assertions and protocols" for protocol description and "Bindings" for possible transports (in particular at redirect and POST).

Common idea there is to somehow query SSO server if current user is authenticated and then cache that status with own cookie. This way every application sets only cookies on own domain.

Petr Gladkikh
I think that this approach will certainly work. For now I'm going to see if I can get the cookie to be in a form that the anti spyware software finds acceptable.
aboy021
+1  A: 

I built a system like this. There is one domain that does the login (auth site). If the login is successful it redirects the user from the auth site to the site that initiated the login with a one off token. Then that site sets its own cookie and bobs your uncle. When you logout you have to go directly to the auth site which deletes the cookie as part of the redirect back to the site. Your site then deletes its own cookie. Hahaha hope that makes sense!

Jake Scott
Unfortunately, we'd still like to maintain the single sign on capability, so if they log into `bar.com` they are effectively logged into `foo.bar.com` and `cat.bar.com`. I think with a one time token we'd lose that.Based on the tests I've been doing, the parent domain cookie only gets deleted after a few seconds, so we should be able to use this as a one time token for the affected users.
aboy021
.. So your logged into foo.bar.com. You go to cat.bar.com the server notices that your not logged into cat so it redirects you back to foo.bar.com which knows you are logged in so generates a token and sends you back to cat.bar.com which logs you in. If you were not logged in to foo.bar.com it sends you back to cat with a different token saying that your not logged in so don't try and auto authenticate me. That could work?
Jake Scott