IIS and new Service Provider v2.5

Cantor, Scott cantor.2 at osu.edu
Tue Nov 6 14:09:50 EST 2012

On 11/6/12 2:00 PM, "Martin B. Smith" <smithmb at ufl.edu> wrote:
>I'm being told some folks have cast some suspicion on the following
>cookie as the place the SP software is detecting the "st:" --

Yeah, that's it.

>Is it possible there's a bug in parsing that cookie and somehow the SP
>thinks there's a header named "st:" being injected from ALL_HTTP?

Yes, I don't know why it was coded that way, but I probably was paying
more attention to the "safeHeaderNames" path than the other one.

-- Scott

More information about the users mailing list