Shibboleth Developers

["Scott Cantor" <>]

I've coded up for my own use some modifications to the SSO handler that use
the time parameter to detect stale login requests so that a "placeholder"
page can be generated instead of the current behavior, which traps the user
in the application they're using.

The main reason I had to do this is that Safari is broken and will actually
replay the same assertion to an SP when you hit the back button, and there's
no obvious fix for that.

Using artifact is another way to make this a bit cleaner, since there's no
form page sitting in the history list to go back to, but POST is probably
here to stay for a while.

The algorithm I'm using for now is to generate a cookie name using a hex
hash of the providerId parameter and storing the last "time" value it sees
whenever it generates an assertion for that SP. On entry, I compare the
value in the cookie (if any) to the value in the request, or a half-hour or
so back from the current time. If the request looks old, I forward to an
IdPStale.jsp template instead of allowing it to proceed.

Suggestions on how to improve this are welcome, and if people are
interested, we could add the code to cvs and maybe just make it a config
option for people to enable.

I tried a lot of solutions that live on the client-side, but for Safari if
nothing else, only a server-side approach appears to work.

-- Scott