SP and http(s)

Peter Schober peter.schober at univie.ac.at
Wed Nov 6 05:53:57 EST 2013


* Imbemba, Pasqualino <Pasqualino.Imbemba at provincia.bz.it> [2013-11-06 11:39]:
> That's what we thought *could* work: we'll try to activate http on
> the SP (not activating sh module) and redirect application outgoing
> URL requests making hostry entry point to the SP.

Sorry, I don't understand that. Either way, if the resulting session
cookie (from Shib or even an application session) is not flagged
secure -- and hence transmitted in the clear on any resulting HTTP
request from the user agent -- much of the security of the system is
gone, cf. the "Question about Shib session cookie protection" thread
from yesterday.
The only way to make "secure"-ly flagged cookies usable is to only use
the complete site on HTTPS (unless you don't care about any resulting
application sessions being secure, but then again, why bother?).

If you proxy from httpd to itself you could probably make that
possible without resorting to HTTP request headers (using
mod_rewrite -- "now you have two problems" ;)
-peter


More information about the users mailing list