Shib with REST and AJAX Best Practices
Russell J Yount
rjy at cmu.edu
Tue Sep 13 16:30:40 BST 2011
>>2) Add the following directives to the httpd.conf file (they added them
>>globally, but there is no reason it couldn't be done at a directory
>>level I suppose):
>I don't understand what that has to do with AJAX either. Anything the browser is accessing obviously needs appropriate cache policy. If it's dynamic content, then obviously it should be marked as such.
Scott, Let me explain.
Assuming some time passes, maybe users does some things and shibboleth authentication expires.
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Tuesday, September 13, 2011 9:56 AM
To: users at shibboleth.net
Subject: Re: Shib with REST and AJAX Best Practices
On 9/13/11 8:16 AM, "Russell J Yount" <rjy at cmu.edu> wrote:
>The groups solution has been to:
>1) Change the sessions statement to look something like this:
><Sessions lifetime="28800" timeout="86400" checkAddress="false"
>The key here is setting the lifetime value lower than the timeout value.
The session will still expire eventually, so I don't understand the value
>2) Add the following directives to the httpd.conf file (they added them
>globally, but there is no reason it couldn't be done at a directory level
I don't understand what that has to do with AJAX either. Anything the
browser is accessing obviously needs appropriate cache policy. If it's
dynamic content, then obviously it should be marked as such.
>This seems to work for them. Is there a better way to handle this?
I don't think either has anything to do with the problem.
>One possible alternative I have suggested would be to have the
>application manage its own session (using on authentication page
>protected by Shibboleth).
If you want the application to manage the session, you can just use lazy
sessions with the SP also. Same effect.
>What is the best practice for this?
Fix HTTP? There's no way to use AJAX in conjunction with security
mechanisms that the client doesn't know anything about. At the end of the
day, it's a broken model.
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users