Shibboleth Developers

[Scott Cantor <>]

> Can we see the original problem report?

I attached the original note I got. It's a compilation from Renee.

> I'm not clear on the situation?  This could happen if the 
> user went back in their browser history and re-POSTed?  Can 
> the right answer be anything other than "don't do that"?

Yes, I believe a combination of better error messages with some
judicious tweaking of the JavaScript and possible some caching related
headers might do something interesting. I did that a lot with my system.

Another simpler route to take that might be good would be to handle the
replay detection by logging it, and then redirecting directly to the
target w/o setting a cookie, which will do one of two things:

a) In an accidental case, there will be a cookie set from earlier, in
which case they'll just get in. The Back button will be like a fence and
just bounce you right back in.

b) In a real case, there won't be a cookie yet, and the target will
redirect to the WAYF, per usual.

Short run, that may be the simple course to take with the 2.5 release.

The critical thing is to make sure I don't introduce a loop because the
HS isn't somehow seemingly reissuing the same assertion because of some
caching issue in the browser. I've seen a few personal examples of some
strange behavior on that front, so I need to investigate further.

-- Scott

--- Begin Message ---

• From: Renee' Shuey <>
• To: ,
• Subject: Fwd: First complaint - got resolved
• Date: Fri, 26 Jul 2002 12:54:36 -0400

Title: Fwd: First complaint - got resolved

Thoughts on these?
---------- Forwarded message ----------
Date: Fri, 26 Jul 2002 08:38:32 -0400
From: "John D. Hopkins" <>
To:
Subject: First complaint -  got resolved

Hi Renee¹,
Here¹s the first complaint from a student.  I believe that I was able to
resolve it. He sends three messages:
1)
> I tried logging in at 9 PM on July 25 and the login failed.  I received the
> following error:
>
> Shibboleth Session Establisher
> Target URL:https://www.webassign.net/shib-bin/psu.pl
>
> There was a problem with this submission.
> The system detected the following error while processing your submission:
>
> ShibPOSTProfile.accept() detected a replayed SSO assertion
> Please contact this site's administrator to resolve the problem.
>
> Hope this helps..
>
>
>

 perhaps a more serious problem....
2)
> I forgot to mention in the last email that when I get the error message, if
> I copy+paste the TargetURL into the address bar I am allowed to go into
> WebAssign assignments page where I can submit my work...

My reply to him
> Hi JT,
> The message seems to indicate to me that perhaps you logged in and then
> backed out and/or tried to reenter it again.  I did the same thing the first
> time that I logged in. It seemed a little slow and I was impatient.  Close
> your browser and give it another try and let me know.  A cookie is set with
> each login and I don't know what the expiration is on that.
>
> Either way I'll pass your experience along.

His final message
3)
> Hello,
>
> I just tried it again after deleting my internet cache and this time it
> worked. So it probably was just a cookie.  Thanks...

Is there a way to post a message similar to "you are already logged in" if
they try to reenter or resubmit their login prior to the closing of their
session?  Or with my limited knowledge, am I misreading this?

He was able to get in, which seems then that he was perhaps confused by the
messages that were in front of him.

John

--- End Message ---