Shib with REST and AJAX Best Practices

Peter Schober peter.schober at
Tue Sep 13 14:10:56 BST 2011

* Russell J Yount <rjy at> [2011-09-13 14:17]:
> One possible alternative I have suggested would be to have the
> application manage its own session (using on authentication page
> protected by Shibboleth).

Leaving session management for your protected resource to the
application (instead of the webserver by means of mod_shib) does not
avoid the app having to authenticate /somewhere/ once correctly.
It just means you'll have two sessions to take care of, one of which
can be forgotten about (low timeout value) after a minute or two.

More information about the users mailing list