UID not available in HTTP variables
Cantor, Scott
cantor.2 at osu.edu
Thu Jun 20 09:27:34 EDT 2019
On 6/20/19, 9:23 AM, "Hong Ye" <hy93 at cornell.edu> wrote:
> If it is not safe to use headers, does Shibboleth SP set attributes as server variables?
Yep. In IIS also.
> I dump all the cgi variables and
> didn't see any attributes in there.
There is no reliable way to do that in most newer software because they build the list of variables in unreliable ways, but even if there was, that would mean the system isn't configured correctly. Without directly accessing a variable, you can't really know whether it's there or not. Dumping variable lists is a nice debugging tool but it is big time insecure to do that, so in some ways it's a good thing it no longer works well.
-- Scott
More information about the users
mailing list