SP 2.5 cookieProps

Peter Schober peter.schober at univie.ac.at
Wed Aug 8 16:02:14 EDT 2012

* Cantor, Scott <cantor.2 at osu.edu> [2012-08-08 21:48]:
> >What does <Sessions> within an <ApplicationOverride> inherit? I don't
> >recall noticing the warning previously.
> It doesn't inherit anything *unless* you don't have the element at all,
> because then the request for the "Sessions" property set falls back to the
> parent application container. I thought that was stated somewhere, but it
> should be clearer on that page.

It's there in the first paragraph of the Inheritance Rules:

  "In most cases if an element is NOT supplied at the override level,
   it will be inherited automatically."

Also for the Sessions element the rules are explicitly spelled out to
work as descibed by the OP:

  "If present in the override, the default element's attribute content
   is ignored."

> The warning itself is new, part of a set of warnings for any
> settings that are not set to SSL use only, as suggested by Nate and
> others on the dev list, to encourage stronger settings.

Regarding one of these new warnings ("handlerSSL should be enabled for
SSL/TLS-enabled web sites"): For SPs which need access to the
assertion itself this might be slighly annoying when the GetAssertion
handler might not be available via https and hence have set
handlerSSL="false" even though the site is still https only. But it's
no big deal and I only have a single server which needs that.
(I customarily always set handlerSSL="true" since I don't ever want
anyone interacting with the handler over plain http, esp. with HTTP
POST from an TLS/SSL-protected IdP).

More information about the users mailing list