Does Shibboleth SP support HTTP POST redirect using status code 307?
Greg Haverkamp
gahaverkamp at lbl.gov
Tue Feb 13 19:17:43 EST 2018
>
> > I assume this isn't a rare scenario (user agent
> > requests a SP-protected resource via HTTP POST without a valid SP
> session),
> > what are the possible solutions to this?
> That isn't your problem, your user agent isn't one, it has no UI, it's
> just a Javascript thread. If it did, you could turn on the post
> preservation feature and it would more or less work, at least with Apache.
> With no UI capability, that simply can't be relied upon.
> The only solution I know of is to take over the session management so
> timeouts aren't possible.
Another way to do it is for the application itself to keep track of its
state, which is how we do it in our AngularJS apps. Well, we do a few
things. (We're not dealing with a Shibboleth SP, but we still have to deal
with the situation where a session -- in our case, an OAuth access token --
has expired.)
1. Track when the session is going to expire and let the user know with
some warning. I'm largely assuming a single SP here. You should be able
to either service this in the code for the application, allow the
application to poll for the remaining lifetime, or more bluntly track. If
a user comes toward the end of the session lifetime, warn the user.
2. Checkpoint a user's operations before going to the server. If you've
collected input from the user, store it in local storage and retrieve it
when the app returns. Your application can either pick up where it left
off, complete the operation -- might not want to do this if there's no good
way to confirm the user hasn't changed -- or ask the user if they want to
recover.
We use #2 in several applications.
(Our model would be more like what Scott suggests, where you don't use the
SP for session management. Use lazy sessions, and your backend can signal
back to the AngularJS app when the session has expired and it's time to do
re-auth.)
Greg
On Tue, Feb 13, 2018 at 3:53 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> > Scott, thanks. We did hope SP/IdP timeout would be transparent to
> > application, but not the case.
>
> It is, mostly, if your application isn't written with those kinds of tools
> and the application supports deep linking.
>
> > I assume this isn't a rare scenario (user agent
> > requests a SP-protected resource via HTTP POST without a valid SP
> session),
> > what are the possible solutions to this?
>
> That isn't your problem, your user agent isn't one, it has no UI, it's
> just a Javascript thread. If it did, you could turn on the post
> preservation feature and it would more or less work, at least with Apache.
> With no UI capability, that simply can't be relied upon.
>
> The only solution I know of is to take over the session management so
> timeouts aren't possible.
>
> -- Scott
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180213/b7b0376b/attachment.html>
More information about the users
mailing list