Cookie-based Authentication - Nov. 12, 2004

Cookie-based Authentication Overview

Cookie-based authentication has changed radically since the first iteration (as described below, in the section about the BM35C09 patch). Cookie-based authentication is intended to provide a means of differentiating users sharing the same host at the same time, as in a terminal server or Citrix server. The usual method of authentication (using CLNTRUST or SSL Proxy Authentication) relates a single IP address with a user ID. Since all users on a terminal/Citrix server share the same IP address, this approach is not going to work. With cookie-based authentication, SSL Proxy Authentication method (log in within the browser, no CLNTRUST) is used, but the authentication and user ID is tied to a cookie stored in the browser for the length of the session.

Terminal Server Authentication

Jan 30, 2003 - BorderManager 3.7 Service Pack 1 and later, new feature

Cookie-based authentication was first introduced with the BM35C09 patch, in October of 2000. It had two major problems: You could not browse SSL sites, and it applied globally, so that everyone was forced to use SSL Proxy authentication instead of CLNTRUST. The real need for this feature was for Citrix servers, and it may have been 100 times more useful if only it could have been limited to those servers, even with the SSL issue.

BorderManager 3.7 SP1 provides a new feature (Terminal Server Authentication) that fixes both issues. The feature is enabled in PROXY.CFG by several new settings. I have described them in tip #63 here. Basically, you specify IP addresses, ranges or subnets where this feature applies, so that it is only used on the systems where you want it to apply.

Cookie-Based Authentication for BM 3.5 - 3.7, with BM35C09 Patch or Later - Jan. 30, 2003

Oct 23, 2000 - BM35C09 Patch Features

This patch looks like it has some really useful features, in addition to some bug fixes (stops a number of abends, according to forum users). I am excited enough about these features that I have posted part of the readme for the patch below. The first of them will be of particular interest for Citrix administrators wanting to provide some means of Proxy Authentication.

New Features:
1. COOKIE BASED AUTHENTICATION FOR FORWARD PROXY
2. NEW MAIL PROXY PARAMETERS IN SYS:ETC\PROXY\PROXY.CFG
3. RUNTIME SWITCHES FOR ACLCHECK.NLM

README.TXT:

NEW FEATURE: COOKIE BASED AUTHENTICATION FOR FORWARD PROXY

This feature enables BorderManager to associate a unique cookie with each user so that requests can be tracked. The following describes how this process works:

* User makes a GET HTTP request via the browser to the BorderManager forward proxy

* BorderManager authenticates the user using the SSL authentication method. If the authentication is successful, it generates a cookie, stores it in an internal table and also issues a set cookie command to the browser for both the proxy domain and the target domain using triple redirects. This makes the browser send the cookie in the HTTP header in all subsequent requests.

BorderManager will expect a cookie in every request from an authenticated user. BorderManager therefore extracts the cookie from the received request, and checks for an authentication entry against that cookie. If an authentication entry is found, then the user is considered to be authenticated and the request is processed normally. If the cookie header is missing, BorderManager goes through the entire authentication process again, and creates a new cookie.

BorderManager sets "session cookies" on the browsers. These cookies don't live beyond the particular session of the browser. When the the browser is unloaded and reloaded, the user will have to re-authenticate to the proxy.

Previously only the user identity information that was present in a HTTP request was the source IP address. However, using this cookie based authentication method, each user can have a unique session identity that is established each time he logs in. Even if many users share the same IP address (e.g. when going through a Network Address Translator (NAT), Proxy, circuit level gateway, etc.), the cookie identifies each user uniquely.

The cookie based authentication can be turned on or off by using the flag "BM_Forward_Cookie" in SYS:ETC\PROXY.CFG. If the flag is turned off or if there is no entry for BM_Forward_Cookie in proxy.cfg, authentication is reverted back to IP based authentication.

The following entry is required in SYS:ETC\PROXY.CFG to enable cookie based authentication:

[BM Cookie]
BM_Forward_Cookie=1 ; cookie based authentication is enabled. 1= enabled, 0= disabled (default).

KNOWN PROBLEMS/ISSUES:

When using cookie-based authentication, browsing to HTTPS or SSL sites does not work properly.

WARNING: Browsers MUST BE ENABLED to accept cookies

Return to the Main Page