Shibboleth Developers

[Scott Cantor <>]

I added some Java at the top of the hs.jsp script that the HS uses to
output the redirection form, to expire it.

This has the effect of "solving" the replay errors by causing the Back
button to regenerate a new assertion and results in a new session at the
target. This is similar to what would happen if I handled the error at
the SHIRE by redirecting to the target.

But this is only half the real solution. We should modify (or extend)
the Shib architecture, and append a third parameter to the HS request
format, a time parameter containing the time of the request.

Since we already require loose clock sync, this will let us detect old
requests to the HS and generate a different response there. This is what
I do here at OSU. I realized that we could use the same solution, since
even though the redirection to target is a POST, he original HS request
is still a GET, just like mine is.

If that's not objectionable to anybody, I can change the redirects in
mod_shib to add the time parameter, and we can change the WAYF to do so
also. The HandleServlet just has to look at the parameter, and use a
special new jsp response if the time value is old.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--