Making an auto-login on our Intranet; how secure is CGI.auth_user?

We have CF10 on our Intranet webserver, and I'm developing the authentication system. The higher ups do not want the Intranet to ask for a login, and instead to pull the user's credentials from the CGI.auth_user variable since they log into a domain before they get to the intranet.
Thing is, this variable holds a value that lists the domain and username, but no password (ie, 'DOMAIN_NAME\user_name')
Well, I can run CFLDAP to determine if this user exists in our active directory and is not disabled/locked, but since a password is not captured/provided, the Intranet would have to assume that 'This is good enough for you to say who you are', and auto-log them in as that user.
My question is, how hard is it to spoof this value? If someone knows the username of an admin, and can alter the system to capture their credentials as 'DOMAIN_NAME\username_of_admin' then it would log them in as an admin.
I understand the risk of assuming the logged in person IS the person at the computer (we have many people who login as themselves, but let others use their PC while they are logged in, and informed these people that this is both against policy and that THEY are responsible for anything someone else does on their PC while logged in with their credentials)

Aegis Kleais wrote:
We have CF10 on our Intranet webserver, and I'm developing the authentication system. The higher ups do not want the Intranet to ask for a login, and instead to pull the user's credentials from the CGI.auth_user variable since they log into a domain before they get to the intranet.
The most important questions on security are not based on which techniques to use. They are based on policy. Thus, if the domain trusts its users and the policy is that the intranet is just one of the resources within the domain, then there will be little need for a second layer of authentication.
Thing is, this variable holds a value that lists the domain and username, but no password (ie, 'DOMAIN_NAME\user_name')
Well, I can run CFLDAP to determine if this user exists in our active directory and is not disabled/locked, but since a password is not captured/provided, the Intranet would have to assume that 'This is good enough for you to say who you are', and auto-log them in as that user.
My question is, how hard is it to spoof this value? If someone knows the username of an admin, and can alter the system to capture their credentials as 'DOMAIN_NAME\username_of_admin' then it would log them in as an admin.
It would be a difficult spoof. Suppose you intend on some malafide action on the intranet. You have managed to get hold of the username, DOMAIN_NAME\username_of_admin. To be able to pull off the spoof, you need to be in the domain, and have admin privileges. To have achieved that in the first place, you needed access to an admin password. We're now down to trust.

Similar Messages

How to auto login in Solaris 10

Hi all
I'm trying to establish auto login in Solaris 10, as a regular user or root. This is a personal testing machine, so security is not an issue.
I want to automatically login preferably in the shell mode, ( no GUI if it's possible ), otherwise I can login with GUI, no biggie.
From what I've found, it does not seem an easy job, given that my Solaris experience is somewhat limited, ( been working more on Linux ).
If I can get that going, I'd prefer to run a few scripts upon login, which I think I can do it.
So what steps must I go through to have auto login upon boot ? How hard is it ?
Appreciate any comments. Thanks
P.S. Just noticed I might have posted in the wrong forum. Sorry !
Which forum should I post again ?
Edited by: mysol on Jul 20, 2009 10:44 AM

ZFS has not yet been integrated into Solaris 10...
At this time you need either the "Software Express for Solaris 2/06"
( http://www.sun.com/software/solaris/solaris-express/ ) or the
"Solaris Express: Community Release"
( http://www.opensolaris.org/os/downloads/on/ ) to play with ZFS.
.

Auto login in Solaris 10

Hi all
I'm trying to establish auto login in Solaris 10, as a regular user or root. This is a personal testing machine, so security is not an issue.
I want to automatically login preferably in the shell mode, ( no GUI if it's possible ), otherwise I can login with GUI, no biggie.
From what I've found, it does not seem an easy job, given that my Solaris experience is somewhat limited, ( been working more on Linux ).
If I can get that going, I'd prefer to run a few scripts upon login, which I think I can do it.
So what steps must I go through to have auto login upon boot ? How hard is it ?
Appreciate any comments. Thanks
PS. Reposted, because I submitted my query in the wrong forum.
Add the line below, to */etc/inittab* file.
ip:1234:once:/full/path/to/scriptEdited by: mysol on Aug 4, 2009 4:12 PM
Edited by: mysol on Aug 4, 2009 4:15 PM

What do you mean by auto login?
Do you want to implement Integrated windows authentication in OIM Design console. If yes, then I don't think it's possible.
Post your requirement here so that ppl can help you out.

We have a corporate iPad in our auto showroom to show guests how to use features on their vehicles. Someone locked it with their account. It was not an employee. How can I get in? I did a restore of the software already?

We have a corporate iPad in our auto showroom to show guests how to use features on their vehicles. Someone locked it with their account. It was not an employee. How can I get in? I did a restore of the software already?

Gather up the proof that the dealership is the original purchaser of the iPad,
and take the iPad & that proof to a physical Apple store for possible assistance.
It is highly suggested that you make a genius bar appointment to avoid delay
at the store:
Make a Genius Bar Reservation
http://www.apple.com/retail/geniusbar/
If no Apple store close by, get the information mentioned above and contact
Apple Contact Us for assistance.
Once the problem is resolved, you may wish it use Guided Access to limit
what customers can do with the iPad.
iOS: About Guided Access - Apple Support

How do I get Firefox to bypass our proxy for our Intranet sites.

I have it set to bypass proxy settings through the GPO Add-on but I receive a DNS error. I've tried entering 192.168.0.0/16 for "No Proxy" but that doesn't work. I also have our Intranet site set as the homepage but it just goes to a blank page with no error.
I am using the Firefox ADM along with the GPO add-on for the client. This allows me to lock the settings.
I now have to add that Firefox was updated to 10.0 and I no longer see the GPO Add-on.
Earlier I tried the FrontMotion Firefox ADM and and GPO script. This worked fine. I could get to our Intranet but I couldn't lock the settings.
How can I get Firefox to see our Intranet? I'll appreciate any help you can give.

If you click "Not Now" then Firefox will ask on a next visit to that site.<br />
If you click "Never ..." then you create a block exception that you have to remove if you want Firefox ask again to store the name and password.
Remove the site from the exceptions: Tools > Options > Security: Passwords: Exceptions
See:
* [[Remembering passwords]]
* http://kb.mozillazine.org/Password_Manager

How to auto login multiple users on boot?

I have mac mini and have users with autostart some programs. But autostart is only when i login on this account.
So now only i can login in to each account and when switch to next account. But it is not good.
I need auto login in to all needed user account. How do that?

Yeah, I'm a big believer in just keeping the machine running, but unfortunately the machine ends up freezing up a few times a month and then it hours of agony as the family complains they can't log into their accounts..etc. I'm going to try updating the hard drive to one of the new Seagate Hybride SSD/HDD drives to help speed the machine up overall. No worries, I've been cleaning off the machine trying to make it run a little smoother (2011 iMac 27", 16GB Ram, 2.97 i7) until I can get a new machine that's a little beffier (the new Mac Pro let's just say).

How to Auto Login after registeration

I have the following requirement and I've spent some time trying to experiment and looking for solutions but have failed to come up with anything that works.
Requirement:
> Register the user in CQ
> Automatically login the user once he registers
> The user should stay logged in (remember me forever)
I've am able to succesfully register the user using the OOTB examples. I created my own register form action based off the libs/foundation/components/actions/update/post.POST.jsp file.
I've looked into several api's to figure out how to auto login once the
am.getOrCreateAccount() call finishes successfully
I tried
repos.login(creds);
Even tried the httppost way described on this thread: http://forums.adobe.com/message/4896922
If anyone can point me in the right direction would really appreciate it!
thank you!!

Hi,
How did you create sign up page. I tried to create a user registration page using "Create and Update Account" form action, but its not create new user account.
Can you please help me if there something which I am missing?
-Navin

How to auto login to facebook using "chrome.exe or default browser" .

how to auto login to facebook using "chrome.exe or default browser" .

Please see the Facebook API for information on automating Facebook. If you have a specific VB question, please create a new post which includes detail about your application and the specific problem you
are having. There is not enough information here to make this a VB question we can assist with.
Moving to off-topic.
Reed Kimble - "When you do things right, people won't be sure you've done anything at all"

How to hide user id and password for auto login in Analyzer 6.5?

Could anyone tell me is it possible to hide the user id and password for auto login in Analyzer version 6.5 and how?Thanks in advance...

Sainath,
Referring admin guide as mentioned by Craig is good option.
Let me give you few steps that I did in one of my projects.
Open command prompt and navigate to the path "C:\Oracle\Middleware\EPMSystem11R1\products\DataRelationshipManagement\client\batch-client".. here you can see many see other utilities as well.
drm-batch-client-credentials.exe is the one used to encrypt the userid and password.
open this in command prompt and then choose the application to which you want to encrypt the password.
then remove userid and password from batch script then run it... it does what you want

How can I turn off the auto login on Netbook running Ubuntu OS

During the initialisation of the machine AUTO LOGIN was already highlighted.
Unfortunately I only noticed it as I hit the next key.
How do I turn off the auto login?
I think I change the /etc/gdm/gdm.conf , but would like confirmation as this is a slightly different version of Linux.
malcolli

Decided to give the full Ubuntu system answer to this and it works just fine.
In a terminal issue the command: sudo /usr/sbin/gdmsetup
This will bring up the gdm gui and there you can turn off auto login, and the timed login.
malcolli

How to have auto login for hotmail

Firefox remembers my login details for Gmail and Ymail but NOT for Hotmail.
How can I have auto login for my hotmail account?

Hotmail problem on all browsers - They have changed their security -- Go here ------> http://windowslivehelp.com/thread.aspx?threadid=514780f4-dbdc-4633-adc7-d0e368e8cff6

How to configure LDAP SSL using auto login wallet?

Hello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno Lavoie

Hello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno Lavoie

How auto login

i made "self registration portlet"
i want
user self registration finish --> auto login portal
please help me

1. POST the login form to SSO's wwsso_app_admin.ls_login directly:
https://infra.domain.com/pls/orasso/orasso.wwsso_app_admin.ls_login
2. Accept the user's username in the ssousername field (no change).
3. Accept the user's password in a temporary field, p_request.
4. Define a hidden inline frame that contains the output produced
from wwptl_login.show_site2pstoretoken (see example). This
is used to provide a "fresh" site2pstoretoken for browsers
that support inline frames (<iframe>).
5. Define an onClick Javascript action that performs the following:
a. Set a value for the hidden field, site2pstoretoken
(see "Obtaining a site2pstoretoken"), using a static value,
or a dynamically produced one from the iframe, depending on
browser capabilities.
b. Copy the password from p_request into the hidden password field
c. Null out the p_request field
d. Submit the form.
.Sample HTML for Login Portlet
The following HTML fragment shows the necessary HTML code to implement the correct modified posting of user credentials. This code can be pasted into the built-in HTML portlet to test it. The code generates a dynamic site2pstoretoken when the Login button is pressed, using a call to wwptl_login.show_site2pstoretoken within a hidden iframe. Some older browsers do not support iframes, so a static site-specific site2pstoretoken is used if the iframe cannot be created.

<script language="javascript">

</script>
<p>
<h1>Sign In</h1>
<form name ="loginForm"
action="https://<sso.domain.com>:<port>/pls/orasso/orasso.wwsso_app_admin.ls_login"
method="post">
<input name="site2pstoretoken" type="hidden" value ="">
<input name="password" type="hidden" value ="">
Username: <input name="ssousername" type="text" value =""><br>
Password: <input name="p_request" type="password" value =""><br><br>
<input name="Login" type="button" value="Login" onClick="loginSubmit();">
</form>
<iframe
name="s2pFrame"
style="width:0px; height:0px; border: 0px"
src=http://<portal.domain.com>:<port>/pls/portal/portal.wwptl_login.show_site2pstoretoken>
</iframe>

Every site2pstoretoken contains an embedded timestamp and will expire after 5 minutes. If an expired (static) site2pstoretoken is used for login, Portal will detect this and request a new site2pstoretoken automatically. This will cause an extra round-trip to the SSO server but is invisible to the user. To ensure that new site2pstoretokens are generated with the correct requested URL parameter, a cookie is created

IFS Portlet Auto Login, how?

Does anyone know or can suggest a way for the IFS Portlet to auto login, using a guest account.
IFS ver. 9.0.1.1 (Win2K)
iAS ver. 1.2.2.2 (Win2K)
Thanks in advance.

To login straight to iFS:
http://myserver:7777/ifs/files/ifs/webui/jsps/login.jsp?step=try&action=Login&userName=myusername&passWord=mypassword
To login to iFS and redirect to a document:
in the iFS, in root\ifs\webui\jsps make a copy of
PortletLogin.jsps, call it MyPortletLogin.jsps. Open it in JDeveloper, change the lines:
from -
String url = request.getParameter("forward");
url = url+"&"+IfsPortletRenderer.SUCCESS+"="+token;
response.sendRedirect(url);
to -
String url = WebUIUtils.getUTF8Parameter(request, "Forward");
response.sendRedirect(url);
Then call it from a browser:
http://myserver:7777/ifs/files/ifs/webui/jsps/MyPortletLogin.jsp?step=try&action=Login&userName=myusername&passWord=mypassword&Forward=MyPathToTheDocumentToLaunch

Auto login wifi guest network

hi all,
we running an iPad pilot within our company and I'd like to use the internal wifi guest network. the guest network is using a loghin page with userid and password and a little checkbox to accept the terms.
when i connect with the ipad (and iphone as well) and fill in the required fields it nicely connects. but after sleep or a reboot it keeps coming with the login page and needs the uid/pw/checkbox. I can make the ipad remember the uid/pw and it fills them in the login page but it keeps wanting the checkbox.
there should be some automatic protocol to auto login so I connect to the company wifi just like it is at home (i know, wpa2 at home is completely different, but for the end user is isn't
is there an option somewhere in Iphone config util? Can I pre-deploy guestnetworks with ipcu?
anyone?
cheers,
emiel

This is not an iPad / iPhone issue. This is an issue with the way the network is configured in regards to authentication.
Just a guess, but I'm betting you don't have the cooperation of the IT department in this venture, do you? If you have a separate, secure internal network, You may be able to convince them to allow the iPads access to that network instead. The fact that you're trying to use the guest network tells me that IT either doesn't know about this or has prohibited their use on the company network.
That, or the company contracted out the configuration of the network and no-one knows how to get around it.
This wouldn't by chance be a hotel, would it?

Making an auto-login on our Intranet; how secure is CGI.auth_user?

Similar Messages

Maybe you are looking for