Applications that autorefresh
Christopher Bongaarts
cab at umn.edu
Tue Jul 17 11:26:24 EDT 2012
On 7/16/2012 4:36 PM, Chad La Joie wrote:
> Well, if the SP is redirecting automatically that means they're using
> eager sessions. I would recommend changing the SP to use lazy
> sessions and to display a "Your session has timed out, please click
> here to login again" page when appropriate.
The application is vendor provided, so while I can suggest changes to
the Shib SP and get them in place, I don't have any control over the
actual app code (which uses a simple REMOTE_USER integration with Shib).
> To your other question, the IdP's profile handlers and its
> authentication engine are separate things. What you're suggesting
> would require that the authentication engine understand the serialized
> state and know how to deserialize it. That would make an already
> complex beast (the authentication engine) more complex and would
> prevent new protocols from being added to the IdP without updating the
> authentication engine as well.
As a "first cut" I would be dumping data into the login form via the JSP
and then getting it back out via our custom LoginHandler. Is that a
viable approach?
I think the other issue that folks have brought up is whether the "left
the form on overnight" case is distinguishable from "hit the back
button" or "magic cookie mutation" cases.
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list