Shib with REST and AJAX Best Practices
Russell J Yount
rjy at cmu.edu
Tue Sep 13 13:16:47 BST 2011
The groups solution has been to:
1) Change the sessions statement to look something like this:
<Sessions lifetime="28800" timeout="86400" checkAddress="false" relayState="ss:mem" handlerSSL="true">
The key here is setting the lifetime value lower than the timeout value.
2) Add the following directives to the httpd.conf file (they added them globally, but there is no reason it couldn't be done at a directory level I suppose):
Header unset ETag
Header set Cache-Control "max-age=0, must-revalidate"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
This seems to work for them. Is there a better way to handle this?
One possible alternative I have suggested would be to have the application manage its own session (using on authentication page protected by Shibboleth).
What is the best practice for this?
Russell J. Yount rjy at cmu.edu<mailto:rjy at cmu.edu>
Identity Services, Carnegie Mellon University
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users