correct value for cookieProps
Dan LaSota
dlasota at alaska.edu
Mon Jul 28 18:55:02 EDT 2014
Looking for the correct values for cookieProps
I'm setting up WordPress as an SP on a CentOS box.
When shibd starts up it's throwing out a warning of:
WARN Shibboleth.Application : custom cookieProps setting should include "; HttpOnly", site is vulnerable to client-side cookie theft
So I headed over to the wiki and looked up the cookieProps attribute.
I also looked at some of the mailing archive, namely this thread from 2012:
http://marc.info/?l=shibboleth-users&m=134445486407045&w=2
My current shibboleth2.xml Sessions tag reads:
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="; secure; domain=.site.domain.edu; path=/">
Questions: Isn't the handlerSSL="true" and the cookieProps secure value the same thing?
I am also seeing samples of https/http and HttpOnly.
This is what I want:
the right value for an SSL forced everything on my multidomain *.domain.edu site.
Thanks
Dan LaSota
Instructional Designer, UAF eLearning
(907) 451-4067
dan.lasota at alaska.edu
http://elearning.uaf.edu
More information about the users
mailing list