Cookie as Security token ?  
Author Message
Mfenetre





PostPosted: Windows CardSpace ("InfoCard"), Cookie as Security token ? Top

Hello,

I was wondering if it was possible to use a cookie as security token provided by the STS so the browser could use it... But there are some questions :

# how to transfer a cookie through WS-Trust exchanges
# how to give this cookie from the CardSpace module to the browser

Thanks,
Mfenetre


Software Development for Windows Vista10  
 
 
Pierre Couzy





PostPosted: Windows CardSpace ("InfoCard"), Cookie as Security token ? Top

Hi there,

Unsure I understand your goal, could you rephrase that a bit or give an example

the CardSpace selector won't give you a cookie (that would imply a HTTP-specific mechanism and a token is not dependant on a transport). If you use CardSpace from a web page, you can easily transfer the token in a cookie (just check there is no size limit) and have the cookie available to your web site instead of transmitting via a form field, but I don't see what you would gain in doing that :

The token is still encrypted for a specific RP, so it can't be a single sign on cookie.

The token is bigger than a site-specific session cookie, and costs more to parse.

Pierre


 
 
Caleb Baker - MSFT





PostPosted: Windows CardSpace ("InfoCard"), Cookie as Security token ? Top

the contents of RequestedSecurityToken element gets passed back to the browser. you can modify the sample sts to do this by making the below change in RequestSecurityTokenResponse.cs to return

arbitrary data, like a cookie.

some points to note are

- this must be a XML node, the <c> tag can be any tag, it is just there to satisfy this requirement. the tags would then have to be stripped of in the web page.

- there is a bug in cardSpace that a SecurityTokenReference must be included ( this is the case if you just make the below code change, though it is semantically meaningless since the cookie is a bearertoken, and so doesn’t have a proof token.

- this value is returned to the web page, so it is up to the server to set the cookie

// RequestedSecurityToken (the SAML token)

SecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer();writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestedSecurityToken, Constants.WSTrust.NamespaceUri.Uri);

//tokenSerializer.WriteToken(writer, token); <- commented out

///

XmlDocument xdoc = new XmlDocument(); <- new line

xdoc.LoadXml("<c>cookievalue</c>");<- new line

xdoc.WriteContentTo(writer);<- new line

///

writer.Wri****dElement();



 
 
Mfenetre





PostPosted: Windows CardSpace ("InfoCard"), Cookie as Security token ? Top

Thanks Pierre for your answer. In fact, what I wanted to do was to use the cookie "directly" as a Security Token itself, and not to carry some Security Token inside it.

Thanks Caleb for your answer. This is exactly what I wanted to do ! Once I'll have done that, the client will have to post the content of this cookie to the SP, which will extract the value, make a http 302 (client redirection) with a "set-cookie" instruction and then redirects the client to a protected page. When the client wil access it, the site will check if the cookie is set and if that's the case, he will be allowed to continue.

As the various CardSpace presentations said that CapdSpace could handle various kinds of security tokens (even kinds which will not be understood by CardSpace itself, but only the Relying Party), I was hoping that such cookie usage would be possible.

Thanks again ! I'll keep you posted with the results of the implementation.