Rejecting unauthenticated requests from apache2
Cantor, Scott
cantor.2 at osu.edu
Wed May 13 17:50:42 EDT 2015
On 5/13/15, 9:26 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>On 5/13/15, 9:04 PM, "Jeremy Shapiro" <jnshapiro at gmail.com> wrote:
>
>
>> I'd like to have apache2 reject these ajax calls when they do not have
>>a valid session, rather than using lazy sessions and relying on the
>>application. Is there some sample apache config that would do this?
>
>You stop requiring a session. That's what you're describing.
>
>There are three possible options:
>
>- let the SP intercept the requests and require a session
>- let the SP intercept the requests and don't require a session
It does occur or to me though that what you're asking for it to do is
possible, just don't require a session and set a require shib-session
rule. No session, you should get a 403 back.
I didn't really think about it initially because it's an unusual thing to
do, it generally would work pretty badly in any given app.
-- Scott
More information about the users
mailing list