correct value for cookieProps

Dan LaSota dlasota at alaska.edu
Mon Jul 28 18:55:02 EDT 2014


Looking for the correct values for cookieProps

I'm setting up WordPress as an SP on a CentOS box.

When shibd starts up it's throwing out a warning of: 
WARN Shibboleth.Application : custom cookieProps setting should include "; HttpOnly", site is vulnerable to client-side cookie theft

So I headed over to the wiki and looked up the cookieProps attribute.
I also looked at some of the mailing archive, namely this thread from 2012:
http://marc.info/?l=shibboleth-users&m=134445486407045&w=2

My current shibboleth2.xml Sessions tag reads:

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="; secure; domain=.site.domain.edu; path=/">


Questions: Isn't the handlerSSL="true" and the cookieProps secure value the same thing?
I am also seeing samples of https/http and HttpOnly.

This is what I want:
the right value for an SSL forced everything on my multidomain *.domain.edu site.

Thanks

Dan LaSota
Instructional Designer, UAF eLearning
(907) 451-4067
dan.lasota at alaska.edu
http://elearning.uaf.edu



More information about the users mailing list