Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Shib SP secure cookies

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Shib SP secure cookies


Chronological Thread 
  • From: Bradley Schwoerer <>
  • To:
  • Subject: Re: [Shib-Dev] Shib SP secure cookies
  • Date: Tue, 09 Nov 2010 14:52:25 -0600

Scott,

Like always, thanks for a quick and honest response. We have used Pubcookie, so it was hard to do anything except SSL, so our app admin base is trained on using SSL for their sites and was trying to find ways to make the configuration easier to them. It would just be nice to have one flag set by default that forces everything through SSL like redirectToSSL and then have an option to turn that off, but I understand the position for creating easily deployable software. When installing and configuring both Oracle Access Manager and Oracle Identity Federation, it makes assumptions, which results in a lack of security. You actually have a fair amount of work to do to make stuff more secure. I won't say that you can make those products secure.

-Bradley




Scott Cantor wrote:
Is there a config option that we are not setting properly, or is that by
design? Is it possible to change it so that by default with
handlerSSL="true" that it sets the secure flag for the cookie?

The two actually have nothing to do with each other. In fact, using
handlerSSL="true" is only relevant if you're *not* using secure cookies
because the setting only makes sense if you're allowing http access, and if
you're doing that, you can't limit the cookie.
I can't convince people to require SSL and if I can't do that, I can't make
the cookie secure. If I started including cookieProps in the default config,
I'd be spending an hour a day answering looping and "why can't I use http?"
questions.
I adjust the settings to require SSL in the configuration files I give to
deployers here (and I get constant looping questions as a result, but I'm
prepared to deal with that).

The closest I could come to preventing problems is to add a redirectToSSL
option to the default config. That would prevent looping, but I'd get an
understandable amount of confusion from people testing or using http. There
aren't a lot of good answers. On Windows, I could do some prompting during
install to ask what to do, but Unix package installs can't prompt for
information like that.

-- Scott






Archive powered by MHonArc 2.6.16.

Top of Page