1 / 10

Login Process

Login Process. edh.cern.ch. 1. access a protected page. 2a. Redirect to login page. Browser. Web Server. plugin. 3b. Access the protected page again; send login cookie. 2b. Redirect to login page. 3a. Set login cookie; redirect back to the protected page. Users DB. Login Web Server

alvis
Download Presentation

Login Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Login Process edh.cern.ch 1. access a protected page 2a. Redirect to login page Browser Web Server plugin 3b. Access the protected page again; send login cookie 2b. Redirect to login page 3a. Set login cookie; redirect back to the protected page Users DB Login Web Server (https) Users DB copy aislogin.cern.ch

  2. Login application • Verify username & password • create MD5 hash and check against database • get other user information (CERNID, PERSONID, IP, ….) 2. Encrypt user information • typedef struct { • UINT4 cksum; • UINT4 dateOfIssue; • UINT4 IP; • UINT4 HRId; • UINT4 CERNId; • char username[27]; • char language; • unsigned char version; • unsigned char flags[40]; • }; /* 89 bytes */ AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73 Private Key 800 bits 3. Set AI_SESSION cookie /*200 chars*/ Set-Cookie: AI_SESSION=8E6EF5CA5F5602E2D13DA53349FAD84907B8F100A84DAA8A1B3F2DE40B01A21396554EF439941F576D470827999A83E9CAB124F2FFBB1F96336D2B07C3B5F63E12E826A9055F4EBB652AAE4FF43AAB2CC842DCA076B5C7944D79CC410CBA4006154409B1; path=/; domain=.cern.ch 4. Verify that browser accepts cookies

  3. Webserver Plugin Operation 1. Verify and decrypt AI_SESSION cookie • typedef struct { • UINT4 cksum; • UINT4 dateOfIssue; • UINT4 IP; • UINT4 HRId; • UINT4 CERNId; • char username[27]; • char language; • unsigned char version; • unsigned char flags[40]; • }; /* 89 bytes */ AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73 Public Key 2. If any errors, redirect to the login page 3. Create server-side cookies AI_USER=50070;AI_USERNAME=AWIECEK;AI_HRID=493034;AI_LANG=EN;AI_XRESOLUTION=0;AI_YRESOLUTION=0

  4. GET http://aisws7.cern.ch/protected/showcookies User-Agent: lwp-request/1.37 302 AIS login required Connection: close Date: Thu, 21 Sep 2000 04:28:43 GMT Location: https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookies Server: Netscape-Enterprise/3.6 SP3 Client-Date: Thu, 21 Sep 2000 04:28:43 GMT Client-Peer: 137.138.180.19:80 <HTML> <HEAD><TITLE>An Error Occurred</TITLE></HEAD> <BODY> <H1>An Error Occurred</h1> 302 AIS login required </BODY> </HTML> BROWSER request Login step 1 WEBSERVER response

  5. Login step 2 BROWSER request GET https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookies User-Agent: lwp-request/1.37 200 OK Cache-Control: no-cache Date: 21 Sep 2000 04:26:12 GMT Pragma: No-cache Server: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1 Content-Type: text/html; charset=iso-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Client-Date: Thu, 21 Sep 2000 04:28:44 GMT Client-Peer: 137.138.25.20:443 Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority Client-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.ch Client-SSL-Cipher: EXP-RC4-MD5 Client-SSL-Warning: Peer certificate not verified MIME-Version: 1.0 Title: Common Login <html><head> <title>Common Login</title> </head> . <form name="form1" method="post" action="Login"> <div align="left"> WEBSERVER response

  6. Login step 3 POST https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookies User-Agent: lwp-request/1.37 Content-Length: 47 Content-Type: application/x-www-form-urlencoded 302 Moved temporarily Date: 21 Sep 2000 04:26:13 GMT Location: CheckLogin?REFER=http://aisws7.cern.ch/protected/showcookies Server: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1 Content-Type: text/html Client-Date: Thu, 21 Sep 2000 04:28:45 GMT Client-Peer: 137.138.25.20:443 Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority Client-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.ch Client-SSL-Cipher: EXP-RC4-MD5 Client-SSL-Warning: Peer certificate not verified MIME-Version: 1.0 Set-Cookie: AI_SESSION=8E6EF5CA5F5602E2D13DA53349FAD84907B8F100A84DAA8A1B3F2DE40B01A21396554EF439941F576D470827999A83E9CAB124F2FFBB1F96336D2B07C3B5F63E12E826A9055F4EBB652AAE4FF43AAB2CC842DCA076B5C7944D79CC410CBA4006154409B1; path=/; domain=.cern.ch Set-Cookie: SECURE_LOGIN=1; expires=Sat, 22-Nov-2003 14:12:52 GMT; path=/; domain=.cern.ch <HTML> BROWSER request WEBSERVER response

  7. Login step 4 BROWSER request GET https://aislogin.cern.ch/login-servlet/CheckLogin?REFER=http://aisws7.cern.ch/protected/showcookies User-Agent: lwp-request/1.37 Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73 200 OK Cache-Control: no-cache Date: 21 Sep 2000 04:26:14 GMT Pragma: No-cache Server: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1 Content-Type: text/html; charset=iso-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Client-Date: Thu, 21 Sep 2000 04:28:46 GMT Client-Peer: 137.138.25.20:443 Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority Client-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.ch Client-SSL-Cipher: EXP-RC4-MD5 Client-SSL-Warning: Peer certificate not verified MIME-Version: 1.0 Title: Login Succeeded <html><head><title>Login Succeeded</title></head> <td><font face="Arial, Helvetica, sans-serif"><b>You may now proceed to <a href="http://aisws7.cern.ch/protected/showcookies"> http://aisws7.cern.ch/protected/showcookies</a> WEBSERVER response

  8. Login step 5 BROWSER request GET http://aisws7.cern.ch/protected/showcookies User-Agent: lwp-request/1.37 Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73 200 OK Connection: close Date: Thu, 21 Sep 2000 04:28:47 GMT Server: Netscape-Enterprise/3.6 SP3 Content-Type: text/html Client-Date: Thu, 21 Sep 2000 04:28:47 GMT Client-Peer: 137.138.180.19:80 <PRE> Cookies: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73; AI_USER=50070; AI_USERNAME=AWIECEK; AI_HRID=493034; AI_LANG=EN; AI_XRESOLUTION=0; AI_YRESOLUTION=0 </PRE> WEBSERVER response

  9. Login step 6 BROWSER request GET http://aisws7.cern.ch/not-protected/showcookies User-Agent: lwp-request/1.37 Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73 200 OK Connection: close Date: Thu, 21 Sep 2000 04:28:47 GMT Server: Netscape-Enterprise/3.6 SP3 Content-Type: text/html Client-Date: Thu, 21 Sep 2000 04:28:47 GMT Client-Peer: 137.138.180.19:80 <PRE> Cookies: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73; </PRE> WEBSERVER response

  10. Features: • Any cookie-enabled browser • Password is requested only once and encrypted (SSL) • Does not use standard HTTP authentication • Supports HTTP & HTTPS • Supports clients inside and outside of CERN • Does authentication only, authorization is handled by applications • Requires a Web Server plugin The AIS Common Login

More Related