Shibboleth Developers

["Scott Cantor" <>]

Peter Williams wrote on 2009-05-09:
> Did the shib concept, on either idp or sp, design for this mess?

The SP has nothing to do with SessionIndexes. It does what the spec says
when it gets a logout request, that's all they're used for. The IdP is in
charge of the values, and it appears to set them based on the session cookie
from the browser.

In fact, I think it may have a bug, because if it's setting the same value
across SPs, that's a privacy mistake. They're not supposed to correlate.

> Is there any way to characterise when my session index in my sp table
> will change based on design/profiling/implementation decision made by
> the (shib) idp?

It apparently will change the index when the browser stops sending the same
session cookie to the IdP, or that session is invalidated for whatever
reason (e.g. a timeout) and a new session is started.

The IdP has no control over what a particular client will do with the cookie
its given or how widely it will be shared.

As far as I know, every browser pretty much uses a common session cookie
store within each process, and a separate one between processes, but that's
always going to be browser specific and is nothing anybody can control.

> Eg will the saml2 sessionid will change whenever the local idp cookie
> session changes... Or whatever?

I think that's exactly what I said. I don't know what else you want me to
say.

-- Scott