Rejecting unauthenticated requests from apache2

Cantor, Scott cantor.2 at
Wed May 13 17:50:42 EDT 2015

On 5/13/15, 9:26 PM, "Cantor, Scott" <cantor.2 at> wrote:

>On 5/13/15, 9:04 PM, "Jeremy Shapiro" <jnshapiro at> wrote:
>>  I'd like to have apache2 reject these ajax calls when they do not have 
>>a valid session, rather than using lazy sessions and relying on the 
>>application.   Is there some sample apache config that would do this?
>You stop requiring a session. That's what you're describing.
>There are three possible options:
>- let the SP intercept the requests and require a session
>- let the SP intercept the requests and don't require a session

It does occur or to me though that what you're asking for it to do is 
possible, just don't require a session and set a require shib-session 
rule. No session, you should get a 403 back.

I didn't really think about it initially because it's an unusual thing to 
do, it generally would work pretty badly in any given app.

-- Scott

More information about the users mailing list