Problems with WebSession when executing a WebService (GeneXus)

Question

Here is the problem: I have a KB Called APP1 that will execute an WebService of an Identity Provider (centralizes all the logins/sessions for different applications) that will return true if there is a logged user in current WebSession that has been granted to access the Application or false otherwise. When I create an web panel at the same KB as the Identity Provider, it works just fine, I get TRUE when there's a logged user, and FALSE when there's not. But when I call it from APP1 it always returns false, I believe that the problem is because the WebSession won't work properly when called through an WS. Any ideas of how to solve it?

Answer 1

Consider this solution:

1. User tries to access App1
2. There's no web session (App1 doesn't know who is connecting)
3. App1 redirects User to an IdentityProvider's special login page
4. If User is not logged, it provides credentials and logs in
5. IdentityProvider has a session for the user (it knows who is connecting), then it redirects to the referer, appending to the url an encrypted userid parameter.
6. App1 decodes the parameter, now it knows who is connecting.
7. App1 saves the userid to the web session, now the user is authenticated

App1 and IdentityProvider must share an encryption key. Consider that if the encryption key gets compromised or cracked anyone can impersonate another user.

Depending in how secure you want your system to be, you should study other security issues:

• every time the user connects it's encrypted login is the same an it shows in the url, it can be easily solved adding a nonce or salt.
• The system could be abused generating multiple requests until it gets a valid encrypted userid. It can be mitigated using a large Salt and/or blocking multiple attempts from the same source.

Note that this isn't a tested protocol and I didn't study the security in depth. I got some inspiration from OpenId, but this is a simplified protocol and I could be missing security holes.