The ObSSOCookie is a secure mechanism for user authentication. When NetPoint generates the cookie, an MD-5 hash is taken of the session token. When the ObSSOCookie is used to authenticate a user, the MD-5 hash is compared with the original cookie contents to be sure no one has tampered with the cookie.
MD-5 is a one-way hash, so it cannot be unencrypted. The Access Server does the comparison by hashing the session token again and comparing the output with the hash of the token already present in the cookie. If the two hashes do not match, the cookie is corrupt. The system relies on the fact that if someone tampers with the session token, the hashes will not match.
Please Note: The single sign-on cookie does not contain user credentials such as username and password.
Friday, August 29, 2008
Can OBSSO Cookie be read ?
Posted by Rajnish Bhatia at 10:00 AM
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment