shibboleth-dev - Re: Continuing the cookie discussion...
Subject: Shibboleth Developers
List archive
- From: Tom Scavo <>
- To: Howard Gilbert <>
- Cc: Walter Hoehn <>,
- Subject: Re: Continuing the cookie discussion...
- Date: Fri, 17 Dec 2004 16:37:59 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=FOKrgVABPTiTEjIlA8G1B9i/Th3//JtG2YyqN7bWEUUYq3y0g9M9mpaXj750xBLj01MOvD2ce+gDrl0/0Zrdfawdn+j8Sl2U1+w2WsSJgWYxcZbSUOpNIqww96EclQHdTGROZm/bBYkfJgUeR9ctO2g01UVAYuDHhbBtVRmlZuU=
On Thu, 16 Dec 2004 00:00:31 -0500, Howard Gilbert
<>
wrote:
> > Can't we just do some JNDI magic to allow the session data to span
> > these contexts without re-directs?
>
> We already have magic to allow the Session object (managed by the
> /shibboleth context), to be available upon request to the Resource Managers.
Can you briefly explain how you're sharing the security context across
application contexts?
> The purpose of the cookie is not to carry the Session data, but only to
> identify the session. Only the Browser can carry a token that identifies an
> HTTP request with some existing server-side state. So again it becomes a
> problem for cookies and their scope.
Why can't the cookie be scoped to the entire server (path=/)?
> The purpose of the redirects is not to move the session data around. It is
> to redirect the Browser from a URL scope where no cookie has been assigned
> to a trusted, authoritative URL within the scope of a preexisting cookie.
> There the cookie can be read, the identity of the Browser can be
> established, and then the old Session ID can be extended to the new context
> where a new cookie can be issued for it.
I'm not sure I follow...are there now two cookies? If the /shibboleth
context sets this second cookie as well, don't you have the same
problem? Why not broaden the scope of the first cookie?
Seems the Resource Manager must distinguish a request that has an
associated security context from one that doesn't. If the request
does not have a cookie, the client should be redirected to the IdP
(via the WAYF). Otherwise the cookie is resolved into the
corresponding security context (which itself is tricky in a J2EE
environment).
Tom
- Continuing the cookie discussion..., Scott Cantor, 12/13/2004
- RE: Continuing the cookie discussion..., Howard Gilbert, 12/13/2004
- RE: Continuing the cookie discussion..., Scott Cantor, 12/13/2004
- Re: Continuing the cookie discussion..., Walter Hoehn, 12/15/2004
- RE: Continuing the cookie discussion..., Howard Gilbert, 12/16/2004
- Re: Continuing the cookie discussion..., Tom Scavo, 12/17/2004
- RE: Continuing the cookie discussion..., Howard Gilbert, 12/18/2004
- RE: Continuing the cookie discussion..., Jim Fox, 12/18/2004
- RE: Continuing the cookie discussion..., Scott Cantor, 12/18/2004
- RE: Continuing the cookie discussion..., Howard Gilbert, 12/18/2004
- RE: Continuing the cookie discussion..., Scott Cantor, 12/18/2004
- Re: Continuing the cookie discussion..., Tom Scavo, 12/19/2004
- RE: Continuing the cookie discussion..., Scott Cantor, 12/19/2004
- Re: Continuing the cookie discussion..., Tom Scavo, 12/19/2004
- RE: Continuing the cookie discussion..., Scott Cantor, 12/19/2004
- RE: Continuing the cookie discussion..., Howard Gilbert, 12/18/2004
- RE: Continuing the cookie discussion..., Howard Gilbert, 12/19/2004
- Re: Continuing the cookie discussion..., Tom Scavo, 12/17/2004
- RE: Continuing the cookie discussion..., Howard Gilbert, 12/16/2004
- RE: Continuing the cookie discussion..., Howard Gilbert, 12/13/2004
Archive powered by MHonArc 2.6.16.