MIT-MAGIC-COOKIE



next up previous contents
Next: SUN-DES-1 and Kerberos Up: Platforms Previous: Xdm

MIT-MAGIC-COOKIE

The MIT-MAGIC-COOKIE protocol allows Xdm to create a hard-to-guess token that is only readable by the user account which successfully logged in via Xdm. It uses the Unix file system access control to protect the token. The user can copy this token to the user's home directories on other systems to allow clients on those hosts to connect to the X server. [Sch91]

When using MIT-MAGIC-COOKIE-1, the client sends a 128 bit ``cookie'' along with the connection setup information. If the cookie presented by the client matches one that the X server has, the connection is allowed access. The cookie is chosen so that it is hard to guess; xdm generates such cookies automatically when this form of access control is used. The user's copy of the cookie is usually stored in the .Xauthority file in the home directory, although the environment variable XAUTHORITY can be used to specify an alternate location. Xdm automatically passes a cookie to the server for each new login session, and stores the cookie in the user file at login.

The cookie is transmitted on the network without encryption, so there is nothing to prevent a network snooper from obtaining the data and using it to gain access to the X server. This system is useful in an environment where many users are running applications on the same machine and want to avoid interference from each other, with the caveat that this control is only as good as the access control to the physical network. In environments where network-level snooping is difficult, this system can work reasonably well.



John Barkley
Fri Oct 7 16:17:21 EDT 1994