beautypg.com

Google Search Appliance Managing Search for Controlled-Access Content User Manual

Page 71

background image

Google Search Appliance: Managing Search for Controlled-Access Content

71

With cookie cracking, if a sample URL check for user credentials is successful, the sample URL’s content
server generates the following response HTTP headers in addition to the standard headers:

X-Username:value
X-Groups:value1, value2

where value becomes a verified identity for the credential group that is associated with the sample URL.

The effect of the response header is that it has “cracked” open the cookie and revealed the username
and/or group(s). To use cookie cracking, the administrator of the content server must modify the server
so that it returns the appropriate response header.

If more than 2000 groups are used, there can be can increase in search latency and a decrease in
queries per second (QPS). To avoid this issue, limit the number of groups to 2000.

There is a 3 second timeout limit for checking the sample URL. If the response time of the host is
beyond this limit, the check for user credentials is not successful.

Using Quoted-Printable Encoding in Response Headers

If special characters are used in an X-Groups or X-Username HTTP response header, the header must
be encoded in UTF-8 as quoted-printable. When the search appliance receives the response header, it
attempts to decode the UTF-8 quoted-printable encoding.

For example, the search appliance crawls the following content, which contains special characters:





Some content

Because the user "spécial" and group "spécial-group" include special characters, the following
encoded headers should be used:

X-Username: sp=C3=A9cial (for spécial)
X-Groups: sp=C3=A9cial-group (for spécial-group)

In contrast, for the user "??" and the group "spécial-group", the following encoded headers should
be used:

X-Username: =E6=97=A5=E6=9C=AC (for ??)
X-Groups: sp=C3=A9cial-group (for spécial-group)

If there are special characters in an X-Groups or X-Username HTTP response header that are not
encoded, the search appliance is not able to parse the ACL properly. To avoid this problem, Google
recommends that you always encode the headers.

See also other documents in the category Google Software: