zlacker

[parent] [thread] 3 comments
1. cbzoia+(OP)[view] [source] 2018-09-29 10:15:51
Meanwhile I work for a major US IB. While I don't work on anything customer facing our internal SSO infrastructure basically consists of a single cookie that gets access to almost everything.. And its really not difficult to sniff one from another user (like say getting them to visit a link like http://mydesktop.companyname.com/..).

Its so bad that for certain systems we check the origin of your connection and will only trust you if you've come from the DMZ rather than internal.

replies(1): >>ramchi+Ja
2. ramchi+Ja[view] [source] 2018-09-29 13:47:18
>>cbzoia+(OP)
Is the cookie not associated to a specific IP? SSO systems would normally flag the mismatch if you try to connect to a website and pass an SSO cookie issued for a different IP, so sniffing cookies wouldn’t help all that much.
replies(1): >>thefou+Cw
◧◩
3. thefou+Cw[view] [source] [discussion] 2018-09-29 17:34:32
>>ramchi+Ja
In the mobile space the IP address changes all the time, isn't it?
replies(1): >>ramchi+ma1
◧◩◪
4. ramchi+ma1[view] [source] [discussion] 2018-09-30 02:13:18
>>thefou+Cw
It's unlikely to change between the SSO login page and the application's login page, and it doesn't matter if it changes later on since the app can issue its own session cookie which isn't tied to an IP.
[go to top]