Pubcookie

Pubcookie is a protocol and a software package for providing single sign-on within web applications and websites of an organization. An untrusted web application authenticates the end user against a trusted authentication server via a trusted login server. The Pubcookie software is open source and licensed under the Apache License. Pubcookie was initially developed at the University of Washington in 1998.

Authentication process

The web application is installed on a web server equipped with a Pubcookie module. When an unauthenticated end user attempts to access the web application, the module sets two cookies (pre-session cookie and granting request) and redirects the user to a Pubcookie login server. The granting request cookie is scoped so that it reaches the login server. It contains information about the application, requested resource and desired authentication service.

The login server now presents a login page, allowing the user to present a username and a password or some other kind of credentials. The login server forwards the information presented by the user to an authentication server. If the login server receives a response indication success, it sets two cookies (login cookie and granting cookie) and redirects the user back to the web application. The granting cookie is scoped to reach the web application server, whose Pubcookie module uses the contents of the pre-session cookie and the granting cookie to generate the final session cookie.

If the user needs to access another web application, the login server receives the login cookie and provides the granting cookie without presenting a login page. Notice that the web applications never receive the password (or some other secret) the user uses to authenticate.

The cookies the login server and the web applications exchange are encrypted using symmetric encryption to prevent eavesdropping. The granting cookie is digitally signed to prevent tampering. The cookies carry a timestamp to prevent replay attacks.

Limitations

Web browsers are typically configured to disallow third-party cookies or cookies scoped to multiple domain names. Since organizations rarely share domain names, before version 3.2 (2005) Pubcookie was effectively limited to intra-organizational use. Version 3.2 introduced a HTTP POST-based login option that works across domains.

See also

• CoSign single sign on — open source web single sign-on, originally developed at the University of Michigan
• Central Authentication Service — another open source single sign-on protocol, originally developed at Yale
• Shibboleth (Internet2) -- “The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries.”
• Stanford WebAuth
• University of Minnesota CookieAuth
• Single sign-on
• List of single sign-on implementations

External links

• Official website
• How Pubcookie works