shibboleth-dev - RE: [Shib-Dev] Shib SP secure cookies
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: [Shib-Dev] Shib SP secure cookies
- Date: Tue, 9 Nov 2010 14:13:59 -0500
- Organization: The Ohio State University
> Is there a config option that we are not setting properly, or is that by
> design? Is it possible to change it so that by default with
> handlerSSL="true" that it sets the secure flag for the cookie?
The two actually have nothing to do with each other. In fact, using
handlerSSL="true" is only relevant if you're *not* using secure cookies
because the setting only makes sense if you're allowing http access, and if
you're doing that, you can't limit the cookie.
I can't convince people to require SSL and if I can't do that, I can't make
the cookie secure. If I started including cookieProps in the default config,
I'd be spending an hour a day answering looping and "why can't I use http?"
questions.
I adjust the settings to require SSL in the configuration files I give to
deployers here (and I get constant looping questions as a result, but I'm
prepared to deal with that).
The closest I could come to preventing problems is to add a redirectToSSL
option to the default config. That would prevent looping, but I'd get an
understandable amount of confusion from people testing or using http. There
aren't a lot of good answers. On Windows, I could do some prompting during
install to ask what to do, but Unix package installs can't prompt for
information like that.
-- Scott
- [Shib-Dev] Shib SP secure cookies, Bradley Schwoerer, 11/09/2010
- RE: [Shib-Dev] Shib SP secure cookies, Scott Cantor, 11/09/2010
- Re: [Shib-Dev] Shib SP secure cookies, Bradley Schwoerer, 11/09/2010
- RE: [Shib-Dev] Shib SP secure cookies, Scott Cantor, 11/09/2010
Archive powered by MHonArc 2.6.16.