Skip to Content.
Sympa Menu

shibboleth-dev - RE: Inclusion of timestamp on redirect (again)

Subject: Shibboleth Developers

List archive

RE: Inclusion of timestamp on redirect (again)


Chronological Thread 
  • From: Scott Cantor <>
  • To: 'Derek Atkins' <>
  • Cc:
  • Subject: RE: Inclusion of timestamp on redirect (again)
  • Date: Thu, 25 Dec 2003 14:38:22 -0500
  • Importance: Normal
  • Organization: The Ohio State University

> How does this this get pasted back into the target? I'm trying
> to understand the flow hear. I'll note that I also proposed
> loop detection some time ago -- where the target includes some
> data into wayf redirect which will get POSTed back to the target
> to make sure we don't have a loop. Is this what you're talking
> about? Or are you trying to solve a different problem?

Different problem, though there's potentially some overlap. This is
something the target adds for the origin to process.

Users will not stop using the back button and nothing we say or do will
change that. So there has to be a way to get the browser to skip over the
various pages that we generate during login when they use it. The only way
to do that reliably without relying on time sync between the client and
server is to put a timestamp in the URL that the HS sees so that it can tell
when a stale request is sent vs. a fresh request.

The GET that generates the form needs to have that parameter when possible,
and then the HS can be coded to check for it and if it's stale, it generates
a special response that contains a window.history.back() script command that
causes the browser to skip over that page in the history list.

With Shib this isn't always useful because of the WAYF, and the fact that we
don't currently control the login process. But for deployments that do login
in a particular way, and with targets that are hardcoded to use a specific
HS, it's a straightforward feature to use and makes users much happier. The
WAYF can also be modified to include this parameter, which takes care of
that issue if you assume clock sync there (which is probably not
unreasonable).

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page