shibboleth-dev - Re: Inclusion of timestamp on redirect (again)
Subject: Shibboleth Developers
List archive
- From: Derek Atkins <>
- To: Scott Cantor <>
- Cc:
- Subject: Re: Inclusion of timestamp on redirect (again)
- Date: Thu, 25 Dec 2003 23:04:58 -0500
Well, we already have to assume time-sync between the target and
the AA, so why not assume time-sync between the target and the HS?
Still, if we can detect loop detection using the same mechanism it
would be very useful. But I'm not sure a timestamp is sufficient to
detect a loop -- there isn't a good way to know how long a single loop
iteration would take.
So, I don't think a timestamp is sufficient to perform loop detection.
IMHO it would be "better" if there were some way the target could add
some additional (arbitrary) data (e.g. a loop count) that goes into
the redirect and then winds up back in the POST. This means the WAYF
and HS would need to handle the ancillary data properly. I suspect
this is "harder" to handle than your timestamp.
-derek
Scott Cantor
<>
writes:
>> How does this this get pasted back into the target? I'm trying
>> to understand the flow hear. I'll note that I also proposed
>> loop detection some time ago -- where the target includes some
>> data into wayf redirect which will get POSTed back to the target
>> to make sure we don't have a loop. Is this what you're talking
>> about? Or are you trying to solve a different problem?
>
> Different problem, though there's potentially some overlap. This is
> something the target adds for the origin to process.
>
> Users will not stop using the back button and nothing we say or do will
> change that. So there has to be a way to get the browser to skip over the
> various pages that we generate during login when they use it. The only way
> to do that reliably without relying on time sync between the client and
> server is to put a timestamp in the URL that the HS sees so that it can tell
> when a stale request is sent vs. a fresh request.
>
> The GET that generates the form needs to have that parameter when possible,
> and then the HS can be coded to check for it and if it's stale, it generates
> a special response that contains a window.history.back() script command that
> causes the browser to skip over that page in the history list.
>
> With Shib this isn't always useful because of the WAYF, and the fact that we
> don't currently control the login process. But for deployments that do login
> in a particular way, and with targets that are hardcoded to use a specific
> HS, it's a straightforward feature to use and makes users much happier. The
> WAYF can also be modified to include this parameter, which takes care of
> that issue if you assume clock sync there (which is probably not
> unreasonable).
>
> -- Scott
>
>
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
PGP key available
- Inclusion of timestamp on redirect (again), Scott Cantor, 12/23/2003
- Re: Inclusion of timestamp on redirect (again), Derek Atkins, 12/24/2003
- RE: Inclusion of timestamp on redirect (again), Scott Cantor, 12/25/2003
- Re: Inclusion of timestamp on redirect (again), Derek Atkins, 12/25/2003
- RE: Inclusion of timestamp on redirect (again), Scott Cantor, 12/25/2003
- Re: Inclusion of timestamp on redirect (again), Derek Atkins, 12/25/2003
- RE: Inclusion of timestamp on redirect (again), Scott Cantor, 12/25/2003
- Re: Inclusion of timestamp on redirect (again), Derek Atkins, 12/24/2003
Archive powered by MHonArc 2.6.16.