Shibboleth Developers

[Albert Lunde <>]

On Mon, Dec 07, 2009 at 04:35:42PM -0500, Scott Cantor wrote:
> Adam Lantos wrote on 2009-12-07:
> >> I will put a page together somewhere that starts to document this stuff 
> >> in
> > a matrix because it's a mess.
> > 
> > That'd be really useful!
> 
> It's here:
> https://spaces.internet2.edu/display/SHIB2/BrowserBehaviorMatrix
> 
> I haven't added much yet, but I'll add all the Windows versions I have once 
> I complete the more detailed tests.
> 
> > If the SP doesn't receive the session cookie, shouldn't it try to look
> > it up by the NameID/SessionIndex in the LogoutRequest, as it does on
> > the back-channel path?
> 
> The standard doesn't say, but my feeling is that if you can deploy SLO 
> without the session cookie, you should do it backchannel anyway. My code 
> assumes that a front channel attempt is only valid if the session it 
> retrieves matches the LogoutRequest.
> 
> From the point of view of the SP itself, front-channel isn't actually 
> needed, and I could make that the default, but I believe that few apps will 
> ever support that. Apps just don't implement that kind of session indexing.
> 

It seems like this sounds loosely related to the "same-origin policy"
in web broswer clients, lately discussed on a couple of other lists.

(Moved to the new 

 list after some exposure
on 

 (which decided it was out-of-scope for HTTPbis work).

Wikipedia points to an interesting chart hosted by google:

http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy

-- 
    Albert Lunde  

                  

  (new address for personal mail)
                  

 (old address)