[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: article: Access Control and Session management in the HTTP Environment
The below article is particularly relevant to our various discussions surrounding binding to "standard commercial browsers" (in quotes because we need to reword it, but that's a different thread). The article is here.. Access Control and Session management in the HTTP Environment http://patriot.net/~kurt/IEEE-IC-Gutzmann.pdf (as published) http://patriot.net/~kurt/ieee/ (html; as sub'd for pub) The overall mechanism described therein for web single sign-on is not particularly unique, but it is useful it seems to me in that it is vendor-neutral and accessible. I'd recalled it going into more detail about the structure of so-called "tickets" (e.g. subcomponent sizes and ticket/cookie sizes) but it apparently doesn't. For the SAML Security & Privacy Considerations perspective, the article provides a reasonably detailed "attacks and defenses" analysis, which ought to be fairly applicable to any "cookie and/or URL"-based HTTP state/session management approach, and thus is a starting point for at least one aspect of that subgroup's work. JeffH
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC