|
Cookie Server Explained
The cookieserver consists of three daemons on the Solaris platform. They
are:
1 |
Cookie Daemon |
This is the master daemon. This is where all of the information about the
various authorization cookies is stored, including what the cookies are,
what uniqname is matched with a given cookie, and what IP number that cookie
is valid for. All initial cookies are registered with this daemon, and
this daemon is the final authority on whether or not a cookie is valid. |
2 |
Cookie Caching Daemon |
This is just a cache for the Cookie Daemon. All this daemon does is copy
down cookie information, and tell the web server whether or not a given
cookie is valid. The model is designed to have multiple hosts use the same
cookies for access, with a Cookie Caching Daemon running on each host,
and only one Cookie Daemon running on a central host. Right now this
is only being used for the NT port of the software, but could easily be
expanded in the future. |
3 |
PT Services Caching Daemon |
This daemon is fairly simple, and is the only one that includes any AFS or
Kerberos calls. All it does is cache protection server information for five
minutes, so that multiple requests to the same server (for example, for a
web page and ten small graphics on that web page) don't cause a lot of
requests to the overloaded IFS PT servers. This has the added benefit of
being an extremely fast way to manage protection information. |
There are also several CGI scripts that run to support the above daemons:
1 |
genlogin |
This is the program that generates the login screen.
it is configurable with text files contained in the same directory so that
the look and feel of the screen can be changed for different services without
changing any source or recompiling. This allows the web
administrator to add graphics and other links to the login screen, though
adding graphics is generally discouraged, because it makes the login page take
much longer to load. |
2 |
nph-login |
This program does most of the work of the cookieserver code. This is the
script that is passed a uniqname and password. It checks the password
against the Kerberos servers, and then throws the password away. If the
password is correct, it registers the authentication cookie with the
Cookie Daemon, and redirects to the resource originally requested.
If the password is incorrect, it prints that, along with
a link to the login page. |
3 |
logout |
This program should be linked to from as many secured resources as possible.
This logs out of the secure space, and tells the Cookie Daemon and
Cookie Caching Daemon to expire the authentication cookie.
Logging out of Private WebSpace reduces the risk that someone could access
private pages from your machine if you get up to leave. |
In order to port this code to the NT server platform, it is currently
necessary to
rely on a remote PTS caching daemon, at least at first. This is because the
PT server calls for AFS haven't been ported to the NT platform as
far as I know. I am hoping that this work will be done, as the PTS caching
daemon plays an important role in the overall security of Private WebSpace.
If it is not, SSL encrypting the PTS caching daemon's transactions should
provide security from a man-in-the-middle attack.
|