Shibboleth Developers

[Nate Klingenstein <>]

smells like a contribution...

Begin forwarded message:

> I also built a 'filter' for Tomcat which gives some extra protection 
> for
> the 'RemoteUser' value. It will eliminate most of the session-hijacking
> attempts that will ever occur by invalidating the session (and thus the
> logged-in state) when there is doubt about the user's identity. This is
> done by 'remembering' and checking some HTTP headers (configurable by
> xml) of the user that owns the session. I'd be happy to give that to 
> the
> community too. At the moment the filter is going into alpha phase so I
> probably still have to take off some sharp edges.