cosign 1.9.3 review

by on

cosign is a Web single sign on system that allows users to authenticate once per session and access any protected Web resources at th

License: GPL (GNU General Public License)
File size: 317K
Developer: Regents of the University of Michigan
0 stars award from

cosign is a Web single sign on system that allows users to authenticate once per session and access any protected Web resources at the institution. When you use cosign the passwords are sent only to a single, central URL.

Sessions have both idle and hard timeouts, and users can logout of all protected services by visiting a single URL. The use of public key cryptography ensures that a compromise of a protected Web server has no impact on the security of other participating servers.


The central cgi is responsible for logging users into and out of the central cosign server. It is also responsible for registering each service a user logs into - this action ties the user's central login cookie to their session on individual application servers such as our web mail client, web directory client, or CourseTools environment. The prototype CGI was built to use Kerberos V/GSSAPI to authenticate the user.


The central daemon is responsible for maintaining the state of all cosign sessions. This includes keeping track of which users have logged in, logged out, and idle timed out. This also means the daemon keeps track of all of the service cookies that represent the authenticated web applications a user has accessed. The daemon has the ability to replicate its cookie database to multiply hosts, so a failure of one server does not constitute a failure of the system. The daemon answers queries of user identity from both the cgi and the filter, and talks to other daemons through a replication protocol. The daemon was written in C and has knowledge of Kerberos V tickets.


The filter resides on an application server, and is not part of the centralized cosign infrastructure. The filter is responsible for determining which areas of a web site are protected by cosign and which are not. If a user attempts to access a protected area, the filter assures the user is authenticated, and obtains their username, authentication realm, IP address, and optionally a Kerberos ticket. This information can then be used by other authorization mechanisms to make further access decisions. The prototype filter was written in C for Apache 1.3.x.

What's New in This Release:
daemon: updated return codes
daemon: fixed bug in retrieve access control
daemon: fixed bug where HUP with replication turned on would cause the server to die and exit.
man: reorganized and fixed typos

cosign 1.9.3 search tags