Web Isolation

OAuth Enabled Sites (Ex.Google,Yahoo..) Isolation - Quick Tips 

11-08-2017 11:27 PM

Introduction to Cookie-Based OAuth:

Screenshot.png

Cookie based authentication means a record or session is kept on both server and client after successful authentication. The server needs to keep track of active sessions in a database, while on the front-end a cookie is created that holds a session identifier, thus the name cookie based authentication. Let's look at the flow of traditional cookie based authentication:

  • User enters their login credentials
  • Server verifies the credentials are correct and creates a session which is then stored in a database
  • A cookie with the session ID is placed in the users browser
  • On subsequent requests, the session ID is verified against the database and if valid the request processed
  • Once a user logs out of the app, the session is destroyed both client and server side

 

An Example for a response Cookie after a successful authentication on login.yahoo.com; as you can see below, the cookie can used for all yahoo services :

 

B  
value 1l8ho6dcegkd7&b=4&d=HgwMCNFpYF…-&s=kv&i=TfHDcO9y6mkFjxWhbDE.
expires 2018-11-03T06:32:49.000Z
path /
domain .yahoo.com
T  
value z=UT2.ZBUndDaB11GHg8F6v1gNDA3T…yaHBJWFBFaERieGxOeFdoa0lfQS0t
expires 2018-11-03T06:32:49.000Z
path /
domain .yahoo.com
secure true
httpOnly true
F  
value d=4sMy6fw9vKe3LupImzVW8xbvD5PbG.m91X5ZiQ--
expires 2018-11-03T06:32:49.000Z
path /
domain .yahoo.com
httpOnly true
PH  
value fn=bBgBMfijDlxXi2dUxA--&l=en-US&i=us
expires 2018-11-03T06:32:49.000Z
path /
domain .yahoo.com
Y  
value v=1&n=419s8uji31kdh&l=o57dc2wd…000000&r=12p&lg=en-US&intl=us
expires 2018-11-03T06:32:49.000Z
path /
domain .yahoo.com
FS  
value v=1&d=qMCywpyeSiwyltwPKbJsSe6u…6frYY1reKF_HUHX9sdQRx_IOA--~A
expires 2019-11-03T18:32:50.000Z
path /
domain .login.yahoo.com
secure true
httpOnly true
SSL  
value v=1&s=dCB_5fIO7vnoBJf11mpwNKhH…8PLsurfECue_nC2Go3zbTkIgBg-~A
expires 2018-11-03T06:32:49.000Z
domain .yahoo.com
path /
secure true
httpOnly true
AO  
value u=1
expires 2037-11-02T14:47:31.000Z
path /
domain .yahoo.com
AS  
value v=1&s=nUSq8Ryl&d=A59fcb5f6|5P5…iuftrKF5INgcpkhM.X_8R8X1PU-~A
path /
domain login.yahoo.com
secure true
httpOnly true

 

Once I click on the Mail icon (mail.yahoo.com) for example, the following cookie is attached to my request , the same cookie I received in response to my authentication on login.yahoo.com 

 

 

B 1l8ho6dcegkd7&b=4&d=HgwMCNFpYF…-&s=kv&i=TfHDcO9y6mkFjxWhbDE.
T z=UT2.ZBUndDaB11GHg8F6v1gNDA3T…yaHBJWFBFaERieGxOeFdoa0lfQS0t
F d=4sMy6fw9vKe3LupImzVW8xbvD5PbG.m91X5ZiQ--
PH fn=bBgBMfijDlxXi2dUxA--&l=en-US&i=us
Y v=1&n=419s8uji31kdh&l=o57dc2wd…000000&r=12p&lg=en-US&intl=us
SSL v=1&s=dCB_5fIO7vnoBJf11mpwNKhH…8PLsurfECue_nC2Go3zbTkIgBg-~A
AO

u=1

 

How does this relate to Isolation?

 

Short Answer: You must configure the proxy forwarding policy to isolate both login.yahoo.com and mail.yahoo.com or Both Search Engines/Portals and Email if you match using URL categories, for the user to be able to open his Email account.

 

Long Answer:

If you have a use case where the proxy is configured to forward only Email Category to FG, and this Email service delegates authentication to OAuth Portal (Example; you request mail.yahoo.com, you are redirected to login.yahoo.com for authentication) , the user will fail to open his Email Account and redirection keeps happening even if the user is successfully authenticated, why? because login.yahoo.com (as an example for an OAuth portal) is not isolated, which means the response cookie is saved on the user machine , while the mail.yahoo.com is sent from the isolation VM which has no cookies!

 

Isolating both Search Engines/Portals (login.yahoo.com & accounts.google.com) and Email (mail.yahoo.com and mail.google.com) is required

 

Statistics
0 Favorited
5 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.