Possible to disable the invoking of Login/Logout handlers via browser address bar?
Peter Schober
peter.schober at univie.ac.at
Fri Aug 24 07:22:46 EDT 2012
* Andrew Webb <andrew.webb at statpro.com> [2012-08-24 13:00]:
> Is there a way to prevent handler invocation via manual address bar
> manipulation?
How should your webserver determine whether a GET request was issued
by a HTTP User Agent after recieving a "Location" HTTP header issued
by your server or by that user agent simply GET'ing that same URL
without such a prior exchange?
Session initiation is neither suitable for access control nor
authorization. If you don't want certain users or groups not to be
able to access certain parts of the site it's your applications job
(since you're using lazy sessions) to make sure of that.
What you can do with the latest release is limit the redirects after
login or logout to specific values (e.g. matching a host name), cf.
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions
-peter
More information about the users
mailing list