Skip to Content.
Sympa Menu

shibboleth-dev - Re: Shibboleth doubts

Subject: Shibboleth Developers

List archive

Re: Shibboleth doubts


Chronological Thread 
  • From: André Cruz <>
  • To:
  • Subject: Re: Shibboleth doubts
  • Date: Tue, 17 Apr 2007 12:08:33 +0100

On Apr 16, 2007, at 4:09 PM, Scott Cantor wrote:

You're assuming that one of the first actions a user does is log in
to the application. Our applications have public pages that can be
used without auth so there could be a case where a user logs in after
the X min period.

Fair enough.

Isn't it possible to use a cookie (a bit like the IdP does) to store, say, the nameidentifier (in a secure way like a cryptoshibhandler) so that when a request hits an SP that does not have a session for this user it just fetches the attributes via a backchannel call and creates it?

This would be a better solution than a replicated session cache and the sticky sessions stuff don't you think?

I'm having some problems with the temporary sticky sessions like:

- cookie stickyness in an https flow, impossible. Perlbal can't decode the flow.

- IP stickyness, how do you know if the request is part of an existing session or a new one?

- how do I know when to start the sticky session process? Listen for redirects to the IdP URL?

The only way would be to do permanent sticky sessions based on the IP but that would defeat the purpose of having an excelent load balancer like Perlbal...

Thanks for your help,
André


Archive powered by MHonArc 2.6.16.

Top of Page