Skip to Content.
Sympa Menu

shibboleth-dev - curious SP behaviour

Subject: Shibboleth Developers

List archive

curious SP behaviour


Chronological Thread 
  • From: Ian Young <>
  • To:
  • Subject: curious SP behaviour
  • Date: Tue, 20 Sep 2005 21:56:13 +0100

I noticed the behaviour I'm about to describe some time ago, but it has persisted in a new installation of 1.3 and so I'm documenting it in the hope that someone might have a clue as to what is going on and put me out of my misery.

I have a test SP (now running 1.3, but this was true in 1.2 as well) where the idea was to test all sorts of things. As a result, it is accessable from both http and https as follows:

<RequestMap applicationId="default">
<Host name="target.iay.org.uk" port="8446" scheme="https">
<Path name="secure" requireSession="true" exportAssertion="true" />
</Host>
<Host name="target.iay.org.uk" scheme="http">
<Path name="secure" requireSession="true" exportAssertion="true" />
</Host>
</RequestMap>

Now, if I use Firefox, both of these are equivalent: accessing through either http://target.iay.org.uk/ or https://target.iay.org.uk:8446/ the CGI script I use for testing reports that HTTP_SHIB_ATTRIBUTES has been populated with some Base64 which it proceeds to show me for diagnostic purposes (and decode to the XML for the soporific effects).

Switching to Internet Explorer, the same thing happens with the https route. However, if I go through the http route, I get the script executed with (apparently) all the appropriate attribute headers populated *except* for HTTP_SHIB_ATTRIBUTES.

Then, for the ultimate in weirdness, if I hit F5 to re-fetch the page, the script behaves as it did for me in Firefox and the HTTP_SHIB_ATTRIBUTES contents appear. Contents of things like targeted ID and cookies are identical, so this is not a new session. The only other thing I'd note is that this happens just after one of those "is it OK to continue" messages that IE gives you when you redirect from https to http (the assertion consumer is forced to be https irrespective of the scheme used for the content). I don't see why that would be relevant, though.

The other difference between the first version of the page and the second is that although the address bar in both shows the http URL, the first page's SERVER_PORT is 8446 (same as the assertion consumer URL) and HTTP_HOST is likewise target.iay.org.uk:8446. The refresh makes these 80 and target.iay.org.uk, which is what you get using Firefox.

Anyone have any ideas as to why this baffling behaviour is happening? It isn't terribly important in practice, but obviously anything unexplained is suspect in this game.

-- Ian the bemused



Archive powered by MHonArc 2.6.16.

Top of Page