Applications that autorefresh

Christopher Bongaarts cab at umn.edu
Tue Jul 17 11:26:24 EDT 2012


On 7/16/2012 4:36 PM, Chad La Joie wrote:
> Well, if the SP is redirecting automatically that means they're using
> eager sessions.  I would recommend changing the SP to use lazy
> sessions and to display a "Your session has timed out, please click
> here to login again" page when appropriate.

The application is vendor provided, so while I can suggest changes to 
the Shib SP and get them in place, I don't have any control over the 
actual app code (which uses a simple REMOTE_USER integration with Shib).

> To your other question, the IdP's profile handlers and its
> authentication engine are separate things.  What you're suggesting
> would require that the authentication engine understand the serialized
> state and know how to deserialize it.  That would make an already
> complex beast (the authentication engine) more complex and would
> prevent new protocols from being added to the IdP without updating the
> authentication engine as well.

As a "first cut" I would be dumping data into the login form via the JSP 
and then getting it back out via our custom LoginHandler.  Is that a 
viable approach?

I think the other issue that folks have brought up is whether the "left 
the form on overnight" case is distinguishable from "hit the back 
button" or "magic cookie mutation" cases.

-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%




More information about the users mailing list