Skip to Content.
Sympa Menu

shibboleth-dev - Re: SSO cookie - IDP 1.3.2

Subject: Shibboleth Developers

List archive

Re: SSO cookie - IDP 1.3.2


Chronological Thread 
  • From: "Samuel Cochran" <>
  • To:
  • Subject: Re: SSO cookie - IDP 1.3.2
  • Date: Thu, 19 Jul 2007 21:45:53 +1000
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=VBSHBZo17EBDgH0xVQR/zw8MbepSUlFNoQoEHrxNBV84G6T+pJUG2jYAKl27sIYweymkVDxXbJ//dhgD0Mj4+20FAKI9OvPi9fu0PAB+r3Qs9SpVArkVsmMGHtsuHubVtlj2lRoYabK1IlcVbBHBS9bdnSAuYjRmo+5TfOfO104=
On 7/19/07, André Cruz
<>
wrote:
I configured the SSO cookie setting and thought everything was
working correctly but then I noticed that, even though browsers were
being redirected to the protected SSO path, no cookie was being set
for subsequent requests.

I took a look at the code (src/edu/internet2/middleware/shibboleth/
idp/provider/SSOHandler.java) and, if I'm not mistaken, the cookie
will never be set.

The cookie is only set if username is not null and we're on the
protected path. The first time username will be null, and the next
time we will not be in the protected path since we already have the
username in the session... Unless we get to a different front-end in
which case the auth is asked again since there is no username or cookie.

I thought cookie authentication was for use when you want to set a
cookie in an external authentication web application using strong
encryption which Shibboleth would read, validate, authorize and
look-up / release attributes. This was from reading the source code.

Sam.

Archive powered by MHonArc 2.6.16.

Top of Page