Skip to Content.
Sympa Menu

shibboleth-dev - Re: Continuing the cookie discussion...

Subject: Shibboleth Developers

List archive

Re: Continuing the cookie discussion...


Chronological Thread 
  • From: Tom Scavo <>
  • To: Howard Gilbert <>
  • Cc: Walter Hoehn <>,
  • Subject: Re: Continuing the cookie discussion...
  • Date: Fri, 17 Dec 2004 16:37:59 -0500
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=FOKrgVABPTiTEjIlA8G1B9i/Th3//JtG2YyqN7bWEUUYq3y0g9M9mpaXj750xBLj01MOvD2ce+gDrl0/0Zrdfawdn+j8Sl2U1+w2WsSJgWYxcZbSUOpNIqww96EclQHdTGROZm/bBYkfJgUeR9ctO2g01UVAYuDHhbBtVRmlZuU=

On Thu, 16 Dec 2004 00:00:31 -0500, Howard Gilbert
<>
wrote:
> > Can't we just do some JNDI magic to allow the session data to span
> > these contexts without re-directs?
>
> We already have magic to allow the Session object (managed by the
> /shibboleth context), to be available upon request to the Resource Managers.

Can you briefly explain how you're sharing the security context across
application contexts?

> The purpose of the cookie is not to carry the Session data, but only to
> identify the session. Only the Browser can carry a token that identifies an
> HTTP request with some existing server-side state. So again it becomes a
> problem for cookies and their scope.

Why can't the cookie be scoped to the entire server (path=/)?

> The purpose of the redirects is not to move the session data around. It is
> to redirect the Browser from a URL scope where no cookie has been assigned
> to a trusted, authoritative URL within the scope of a preexisting cookie.
> There the cookie can be read, the identity of the Browser can be
> established, and then the old Session ID can be extended to the new context
> where a new cookie can be issued for it.

I'm not sure I follow...are there now two cookies? If the /shibboleth
context sets this second cookie as well, don't you have the same
problem? Why not broaden the scope of the first cookie?

Seems the Resource Manager must distinguish a request that has an
associated security context from one that doesn't. If the request
does not have a cookie, the client should be redirected to the IdP
(via the WAYF). Otherwise the cookie is resolved into the
corresponding security context (which itself is tricky in a J2EE
environment).

Tom



Archive powered by MHonArc 2.6.16.

Top of Page