Saturday, May 18, 2013

Session cookie

The following is an extract from OpenAM mailing list which I think is very useful in understanding the structure of OpenAM Session Cookie.

> The session cookie is made up from two parts:
> Session ID
> Server Identifier
> The Session ID
> The session ID is a SHA1-PRNG generated secure hash. This
> hash references the session on the authoritative server. 
> In order to forge the cookie they would need to guess a 
> PRNG that matched exactly to a valid session with the same
> hash on a server. This would be next to impossible, it 
> would be easier to try and steal the cookie value rather
> than try and generate a valid one from scratch.
> The Server Identifier varies depending on if the server 
> is in a site and if the site is running session failover. 
> The whole server identifier is base64 encoded. It is made 
> up like this
> S101|SI10|SK34329478
> S1 is server instance, the server where the session resides
> SI is the Site Identifier, the site where the server resides
> SK is the storage key, used during session failover.


No comments:

Post a Comment