Skip to Content.
Sympa Menu

shibboleth-dev - RE: First complaint - got resolved

Subject: Shibboleth Developers

List archive

RE: First complaint - got resolved


Chronological Thread 
  • From: Scott Cantor <>
  • To: 'Renee' Shuey' <>,
  • Cc:
  • Subject: RE: First complaint - got resolved
  • Date: Fri, 26 Jul 2002 15:02:06 -0400
  • Importance: Normal
  • Organization: The Ohio State University

> > ShibPOSTProfile.accept() detected a replayed SSO assertion Please
> > contact this site's administrator to resolve the problem.

As you'd expect, this shows up if the POST to the SHIRE from the HS is
executed twice.

> perhaps a more serious problem....
> 2)
> > I forgot to mention in the last email that when I get the error
> > message, if I copy+paste the TargetURL into the address bar I am
> > allowed to go into WebAssign assignments page where I can submit my
> > work...

That just shows he was logged in (the initial POST worked), and after
seeing the replay error, he just manually went back to the target and of
course it let him in no problem.

> Is there a way to post a message similar to "you are already
> logged in" if they try to reenter or resubmit their login
> prior to the closing of their session? Or with my limited
> knowledge, am I misreading this?

No you're right, we have to work out how best to address this. I'm going
to play a bit more with it.

One problem is that it's not 100% the case that "you're logged in". In
some cases, a failure might occur for other reasons, but the ID of the
message will still be tracked and a replay attack will be detected if
you reload the POST again.

I have some ideas worth trying, but it is admittedly more complicated
using POST than a simple redirect. I think the benefits will outweigh
the drawbacks in the long term, but in the short term we have to
reapply/relearn some safety techniques that are somewhat different for
POST.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--




Archive powered by MHonArc 2.6.16.

Top of Page