Browser Web Server

Users DB

2a. Redirect to login page plugin

1. access a protected page

Login

Web Server

(https)

aislogin.cern.ch

edh.cern.ch

3a. Set login cookie; redirect back to the protected page

2b. Redirect to login page

3b. Access the protected page again; send login cookie

Login Process

Users DBcopy

AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73

/*200 chars*/

typedef struct { UINT4 cksum; UINT4 dateOfIssue; UINT4 IP; UINT4 HRId; UINT4 CERNId; char username[27]; char language; unsigned char version; unsigned char flags[40];}; /* 89 bytes */

1. Verify username & password

• create MD5 hash and check against database

• get other user information (CERNID, PERSONID, IP, ….)

2. Encrypt user information

Private Key

3. Set AI_SESSION cookie

Set-Cookie: AI_SESSION=8E6EF5CA5F5602E2D13DA53349FAD84907B8F100A84DAA8A1B3F2DE40B01A21396554EF 439941F576D470827999A83E9CAB124F2FFBB1F96336D2B07C3B5F63E12E826A9055F4EBB652AAE4FF43AAB2CC842DCA076B5C7944D79CC410CBA4006154409B1; path=/; domain=.cern.ch

4. Verify that browser accepts cookies

800 bits

Login application

AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73

1. Verify and decrypt AI_SESSION cookietypedef struct { UINT4 cksum; UINT4 dateOfIssue; UINT4 IP; UINT4 HRId; UINT4 CERNId; char username[27]; char language; unsigned char version; unsigned char flags[40];}; /* 89 bytes */

2. If any errors, redirect to the login page

3. Create server-side cookies

AI_USER=50070;AI_USERNAME=AWIECEK;AI_HRID=493034;AI_LANG=EN;AI_XRESOLUTION=0;AI_YRESOLUTION=0

Public Key

Webserver Plugin Operation

GET http://aisws7.cern.ch/protected/showcookiesUser-Agent: lwp-request/1.37

302 AIS login requiredConnection: closeDate: Thu, 21 Sep 2000 04:28:43 GMTLocation: https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookiesServer: Netscape-Enterprise/3.6 SP3Client-Date: Thu, 21 Sep 2000 04:28:43 GMTClient-Peer: 137.138.180.19:80

<HTML><HEAD><TITLE>An Error Occurred</TITLE></HEAD><BODY><H1>An Error Occurred</h1>302 AIS login required</BODY></HTML>

BROWSER request

WEBSERVER response

Login step 1

GET https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookiesUser-Agent: lwp-request/1.37

200 OKCache-Control: no-cacheDate: 21 Sep 2000 04:26:12 GMTPragma: No-cacheServer: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1Content-Type: text/html; charset=iso-8859-1Expires: Thu, 01 Jan 1970 00:00:00 GMTClient-Date: Thu, 21 Sep 2000 04:28:44 GMTClient-Peer: 137.138.25.20:443Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification AuthorityClient-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.chClient-SSL-Cipher: EXP-RC4-MD5Client-SSL-Warning: Peer certificate not verifiedMIME-Version: 1.0Title: Common Login

<html><head><title>Common Login</title></head>.<form name="form1" method="post" action="Login"> <div align="left">

BROWSER request

WEBSERVER response

Login step 2

POST https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookiesUser-Agent: lwp-request/1.37Content-Length: 47Content-Type: application/x-www-form-urlencoded

302 Moved temporarilyDate: 21 Sep 2000 04:26:13 GMTLocation: CheckLogin?REFER=http://aisws7.cern.ch/protected/showcookiesServer: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1Content-Type: text/htmlClient-Date: Thu, 21 Sep 2000 04:28:45 GMTClient-Peer: 137.138.25.20:443Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification AuthorityClient-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.chClient-SSL-Cipher: EXP-RC4-MD5Client-SSL-Warning: Peer certificate not verifiedMIME-Version: 1.0Set-Cookie: AI_SESSION=8E6EF5CA5F5602E2D13DA53349FAD84907B8F100A84DAA8A1B3F2DE40B01A21396554EF439941F576D470827999A83E9CAB124F2FFBB1F96336D2B07C3B5F63E12E826A9055F4EBB652AAE4FF43AAB2CC842DCA076B5C7944D79CC410CBA4006154409B1; path=/; domain=.cern.ch

Set-Cookie: SECURE_LOGIN=1; expires=Sat, 22-Nov-2003 14:12:52 GMT; path=/; domain=.cern.ch

<HTML>

BROWSER request

WEBSERVER response

Login step 3

GET https://aislogin.cern.ch/login-servlet/CheckLogin?REFER=http://aisws7.cern.ch/protected/showcookies

User-Agent: lwp-request/1.37

Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73

200 OK

Cache-Control: no-cache

Date: 21 Sep 2000 04:26:14 GMT

Pragma: No-cache

Server: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1

Content-Type: text/html; charset=iso-8859-1

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Client-Date: Thu, 21 Sep 2000 04:28:46 GMT

Client-Peer: 137.138.25.20:443

Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

Client-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.ch

Client-SSL-Cipher: EXP-RC4-MD5

Client-SSL-Warning: Peer certificate not verified

MIME-Version: 1.0

Title: Login Succeeded

<html><head><title>Login Succeeded</title></head>

<td><font face="Arial, Helvetica, sans-serif"><b>You may now proceed to <a href="http://aisws7.cern.ch/protected/showcookies">

http://aisws7.cern.ch/protected/showcookies</a>

BROWSER request

WEBSERVER response

Login step 4

GET http://aisws7.cern.ch/protected/showcookies

User-Agent: lwp-request/1.37

Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73

200 OK

Connection: close

Date: Thu, 21 Sep 2000 04:28:47 GMT

Server: Netscape-Enterprise/3.6 SP3

Content-Type: text/html

Client-Date: Thu, 21 Sep 2000 04:28:47 GMT

Client-Peer: 137.138.180.19:80

<PRE>

Cookies:

AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73;

AI_USER=50070;

AI_USERNAME=AWIECEK;

AI_HRID=493034;

AI_LANG=EN;

AI_XRESOLUTION=0;

AI_YRESOLUTION=0

</PRE>

BROWSER request

WEBSERVER response

Login step 5

GET http://aisws7.cern.ch/not-protected/showcookies

User-Agent: lwp-request/1.37

Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73

200 OK

Connection: close

Date: Thu, 21 Sep 2000 04:28:47 GMT

Server: Netscape-Enterprise/3.6 SP3

Content-Type: text/html

Client-Date: Thu, 21 Sep 2000 04:28:47 GMT

Client-Peer: 137.138.180.19:80

<PRE>

Cookies:

AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73;

</PRE>

BROWSER request

WEBSERVER response

Login step 6

Features:

•Any cookie-enabled browser

•Password is requested only once and encrypted (SSL)

•Does not use standard HTTP authentication

•Supports HTTP & HTTPS

•Supports clients inside and outside of CERN

•Does authentication only, authorization is handled by applications

Requires a Web Server plugin

The AIS Common Login