Shibboleth Developers

["Scott Cantor" <>]

> Is there a config option that we are not setting properly, or is that by
> design?  Is it possible to change it so that by default with
> handlerSSL="true" that it sets the secure flag for the cookie?

The two actually have nothing to do with each other. In fact, using
handlerSSL="true" is only relevant if you're *not* using secure cookies
because the setting only makes sense if you're allowing http access, and if
you're doing that, you can't limit the cookie. 

I can't convince people to require SSL and if I can't do that, I can't make
the cookie secure. If I started including cookieProps in the default config,
I'd be spending an hour a day answering looping and "why can't I use http?"
questions.
 
I adjust the settings to require SSL in the configuration files I give to
deployers here (and I get constant looping questions as a result, but I'm
prepared to deal with that).

The closest I could come to preventing problems is to add a redirectToSSL
option to the default config. That would prevent looping, but I'd get an
understandable amount of confusion from people testing or using http. There
aren't a lot of good answers. On Windows, I could do some prompting during
install to ask what to do, but Unix package installs can't prompt for
information like that.

-- Scott