Shibboleth SP not redirecting to the deep link

Peter Schober peter.schober at
Sat Dec 22 18:51:19 EST 2018

* krrishv <krish.v at> [2018-12-21 19:26]:
> Do i need to enable SSL on apache side, So we can resolve the secure
> cookie issue?

For real production deployments yes. Protecting any resource without
TLS protection of the requests and session cookies is would be a waste
of time.

> Path is changed to /php

Why? That doesn't match anything I've seen from your config example so

> cookieProps="; path=/php; secure; HttpOnly"

That's not a default setting, so you have change it that way. Do you
understand what it means what you did there? If you knew you would't
need to keep this email thread going since Dec 17th. So if you don't
understand what it means why did you do this?

It's what Scott said, of course: You've told the software to mark all
cookies with "secure" -- meaning the browser will *not* send any such
cookies along with requests to a web server running plain HTTP, i.e.,
without TLS -- and your web server has not TLS.
Obviously (?) this makes no sense as it cannot possibly work.


More information about the users mailing list