Shibboleth Developers

[Derek Atkins <>]

Well, we already have to assume time-sync between the target and
the AA, so why not assume time-sync between the target and the HS?
Still, if we can detect loop detection using the same mechanism it
would be very useful.  But I'm not sure a timestamp is sufficient to
detect a loop -- there isn't a good way to know how long a single loop
iteration would take.

So, I don't think a timestamp is sufficient to perform loop detection.
IMHO it would be "better" if there were some way the target could add
some additional (arbitrary) data (e.g. a loop count) that goes into
the redirect and then winds up back in the POST.  This means the WAYF
and HS would need to handle the ancillary data properly.  I suspect
this is "harder" to handle than your timestamp.

-derek

Scott Cantor 
<>
 writes:

>> How does this this get pasted back into the target?  I'm trying
>> to understand the flow hear.  I'll note that I also proposed
>> loop detection some time ago -- where the target includes some
>> data into wayf redirect which will get POSTed back to the target
>> to make sure we don't have a loop.  Is this what you're talking
>> about?  Or are you trying to solve a different problem?
>
> Different problem, though there's potentially some overlap. This is
> something the target adds for the origin to process.
>
> Users will not stop using the back button and nothing we say or do will
> change that. So there has to be a way to get the browser to skip over the
> various pages that we generate during login when they use it. The only way
> to do that reliably without relying on time sync between the client and
> server is to put a timestamp in the URL that the HS sees so that it can tell
> when a stale request is sent vs. a fresh request.
>
> The GET that generates the form needs to have that parameter when possible,
> and then the HS can be coded to check for it and if it's stale, it generates
> a special response that contains a window.history.back() script command that
> causes the browser to skip over that page in the history list.
>
> With Shib this isn't always useful because of the WAYF, and the fact that we
> don't currently control the login process. But for deployments that do login
> in a particular way, and with targets that are hardcoded to use a specific
> HS, it's a straightforward feature to use and makes users much happier. The
> WAYF can also be modified to include this parameter, which takes care of
> that issue if you assume clock sync there (which is probably not
> unreasonable).
>
> -- Scott
>
>
>

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       

                        PGP key available