Shibboleth Developers

[André Cruz <>]

On Apr 16, 2007, at 4:09 PM, Scott Cantor wrote:

> > You're assuming that one of the first actions a user does is log in
> > to the application. Our applications have public pages that can be
> > used without auth so there could be a case where a user logs in after
> > the X min period.
>
> Fair enough.

Isn't it possible to use a cookie (a bit like the IdP does) to store,  
say, the nameidentifier (in a secure way like a cryptoshibhandler) so  
that when a request hits an SP that does not have a session for this  
user it just fetches the attributes via a backchannel call and  
creates it?

This would be a better solution than a replicated session cache and  
the sticky sessions stuff don't you think?

I'm having some problems with the temporary sticky sessions like:

- cookie stickyness in an https flow, impossible. Perlbal can't  
decode the flow.

- IP stickyness, how do you know if the request is part of an  
existing session or a new one?

- how do I know when to start the sticky session process? Listen for  
redirects to the IdP URL?

The only way would be to do permanent sticky sessions based on the IP  
but that would defeat the purpose of having an excelent load balancer  
like Perlbal...

Thanks for your help,
André