2. How does it work?

This is just a brief summary glossing over many details. For the full story see the Webauth protocol specification.

When a browser connects to a Webauth protected service for the first time, no Webauth service cookie is presented so the server redirects the browser to the Webauth login page. After successful authentication the Webauth login server sets a cookie that will be returned to the Webauth login server and proves to the Webauth login server that the user has successfully authenticated. The Webauth login server then redirects the browser back to the Webauth protected service. The redirect contains information that proves the identity of the user to the Webauth protected service and allows the service to set a cookie that will be presented on subsequent visits.

When the browser revisits the Webauth protected service the service specific cookie is presented which proves the identity of the user, so no additional authentication steps need to take place.

When a browser visits a second Webauth protected service no service specific cookie is presented so the browser is redirected to the Webauth login server. However, this time the browser presents the cookie previously set by the Webauth login server. This proves the identity of the user to the login server so it can immediately redirect the browser back to the second service along with the additional information required for the second service to set a cookie used for subsequent visits.

Doing all of this securely in a way that no undue trust is placed in the contents of the cookies is where all the devilish details live.

Up: Contents Previous: 1. What is Webauth? Next: 3. How do I set up a Webauth protected service?