7.5 Passport cookies

To understand the way Passport works, it is especially interesting to look at the different Passport cookies that are exchanged between the user browser, the participating Web sites, and the domain authorities.

The easiest way to see the cookies that are sent to the user browser during a Passport authentication sequence is to disable automatic cookie handling and set the cookie “prompt” option in the properties of your Internet Explorer browser. When you do this, your browser will prompt you each time a cookie is sent to your browser. To set this up in Internet Explorer 6.0 (this is the IE version that comes bundled with Windows XP and Windows Server 2003), select Internet Options from the Tools menu option, and go to the privacy tab. Click the “Advanced” button (as illustrated in Figure 7.5) and check the “Override automatic cookie handling” box—then select “Prompt” for both first-party and third-party cookies.

Figure 7.5: Disabling automatic cookie handling in Internet Explorer 6.0.

The next time you perform a Passport authentication sequence, your browser will generate several “Privacy Alert” warning dialog boxes (like the one illustrated in Figure 7.6) each time the Web site you are accessing tries to save a cookie to your machine. If you click “More Info,” the dialog box is expanded and shows all the cookie properties. Interesting cookie properties to observe are the cookie name, the cookie domain (which is the domain that is attempting to write a cookie to your machine), the “expires” property (which informs you when the cookie expires), the secure property (indicates to the user’s browser that the cookie should only be returned to the server over an HTTPs [SSL-protected]) connection) and the session property (which informs you whether the cookie is persistent or deleted at the end of the browser session).

Figure 7.6: Internet Explorer cookie “privacy alert.”

Table 7.1 lists the most important cookies the Passport authentication system deals with. By default all Passport cookies are session cookies (also known as nonpersistent cookies) that are deleted from the cookie cache at the end of the browser session. Passport cookies can also “expire” at the end of the time period that is specified in the cookie by the Passport domain authority or participating Web site. If a user selects the “Sign me in automatically” option on the Passport login dialog the Passport cookies become persistent cookies.

The last column of Table 7.1 shows how the content of the cookies is secured. Passport uses a set of symmetric encryption keys in order to provide data confidentiality protection of cookie content. Every domain authority has an encryption key and also every participating Web site has an encryption key. The latter key is known to both the domain authority and the participating Web site. The encryption key is a 168-bit key that is regularly updated. The encryption algorithm used from Passport version 2 onward is Triple DES (3DES).

Passport uses two types of ticket cookies: ticket-granting cookies and “plain” ticket cookies. This system is very much inspired by the Kerberos authentication protocol.

The Passport ticket-granting cookie is the cookie that is generated at the beginning of a Passport logon session, which begins when the user signs in to Passport using the Sign In icon. It ends when the user closes his browser or when he signs out from Passport by clicking the Sign Out icon on a Participating Web site. The ticket-granting cookie is used to silently request a renewal of the ticket cookie for the domain authority or to request a new ticket cookie for a participating Web site to the Passport domain authority. Thanks to the ticket-granting cookie a user must not enter his Passport credentials repeatedly every time a ticket cookie must be renewed or a new ticket cookie must be requested. The ticket-granting cookie contains a user’s Passport Unique IDentifier (PUID) and a hash of the user’s credential information. The content is encrypted using the domain authority’s encryption key.

A ticket cookie is used to authenticate a user to the domain authority or to a participating Web site during a Passport logon session. It contains the user’s PUID and a set of encrypted timestamps. The latter protect against replay attacks. A ticket cookie’s content is encrypted using the domain authority’s encryption key (in the case of the ticket cookie for the domain authority) or using the participating Web site’s encryption key (in the case of a ticket for a participating Web site).

The visited sites cookie contains a list of the participating Web sites that a user has visited from his or her computers since last Sign Out. This site list is used to clear all Passport-related cookies when a Passport user clicks the Sign Out icon to sign out of his Passport account.

A Profile cookie contains a Passport user’s profile data. Like ticket cookies, profile cookies provide ease of use to a Passport user, who does not have to keep retyping his personal data every time he accesses another Web site. Passport deals with two different profile cookie types:

• One profile cookie contains the user’s general profile information (also known as the user Passport “core” profile). Its content is encrypted using the domain authority’s encryption key.

• The other profile cookie contains a user’s general profile information and optionally additional profile information that is specific to a participating Web site. Its content is encrypted using the participating Web site’s encryption key. At the time of writing, the content of the Passport profile cookies in the domain authority’s domain and in the participating site’s domain were identical. Passport did not store or pass site specific profile information within its cookies.

The user’s general or core profile always contains the user’s e-mail address and may optionally contain the user’s first and last name, country/region, postal code, state, time zone, preferred language, gender, accessibility, occupation, and full birth date. By default, the option to include or not include the latter data in the user’s profile is entirely up to the user. Some domain authorities, such as Hotmail, require these profile fields to be specified during registration. Passport stores the user data into the Passport core profile at registration time. From Passport 2.0 on a user can at any time after the initial registration change the content of the profile and decide which profile data to share with Passport participating Web sites.

Table 7.2 gives an overview of the Passport user data discussed so far. It shows the required and optional data for Passport registration and whether the data are by default shared with participating Passport sites during a Passport logon session.