Shib with REST and AJAX Best Practices

Cantor, Scott cantor.2 at
Tue Sep 13 14:55:53 BST 2011

On 9/13/11 8:16 AM, "Russell J Yount" <rjy at> wrote:
>The groups solution has been to:
>1) Change the sessions statement to look something like this:
><Sessions lifetime="28800" timeout="86400" checkAddress="false"
>relayState="ss:mem" handlerSSL="true">
>The key here is setting the lifetime value lower than the timeout value.

The session will still expire eventually, so I don't understand the value
of that.

>2) Add the following directives to the httpd.conf file (they added them
>globally, but there is no reason it couldn't be done at a directory level
>I suppose):

I don't understand what that has to do with AJAX either. Anything the
browser is accessing obviously needs appropriate cache policy. If it's
dynamic content, then obviously it should be marked as such.

>This seems to work for them. Is there a better way to handle this?

I don't think either has anything to do with the problem.

>One possible alternative I have suggested would be to have the
>application manage its own session (using on authentication page
>protected by Shibboleth).

If you want the application to manage the session, you can just use lazy
sessions with the SP also. Same effect.

>What is the best practice for this?

Fix HTTP? There's no way to use AJAX in conjunction with security
mechanisms that the client doesn't know anything about. At the end of the
day, it's a broken model.

-- Scott

More information about the users mailing list