shibboleth-dev - RE: [Shib-Dev] Environment Variables vs. Request Headers
Subject: Shibboleth Developers
List archive
- From: "Jones, Mark B" <>
- To: "" <>
- Subject: RE: [Shib-Dev] Environment Variables vs. Request Headers
- Date: Fri, 5 Feb 2010 13:32:40 -0600
- Accept-language: en-US
- Acceptlanguage: en-US
Thanks Scott and Paul.
Sounds like a fairly safe bet either way but technically less risk using
environment varialbles.
-----Original Message-----
From: Scott Cantor
[mailto:]
Sent: Friday, February 05, 2010 1:18 PM
To:
Subject: RE: [Shib-Dev] Environment Variables vs. Request Headers
Jones, Mark B wrote on 2010-02-05:
> Why?
Headers are subject to spoofing attempts by the client and despite the many
pains the SP takes to prevent that, it's never going to be provably immune
to new ways of attacking it that might get around the protections,
particularly when there are bugs in the web server itself.
I welcome and encourage attempts to hack it, and believe it's quite
protected provided all the IIS caveats are observed, but environment
variables are always protected.
-- Scott
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Environment Variables vs. Request Headers, Jones, Mark B, 02/05/2010
- RE: [Shib-Dev] Environment Variables vs. Request Headers, Scott Cantor, 02/05/2010
- Message not available
- RE: [Shib-Dev] Environment Variables vs. Request Headers, Jones, Mark B, 02/05/2010
Archive powered by MHonArc 2.6.16.