Cookie spoof

Cantor, Scott cantor.2 at
Tue Nov 12 08:12:52 EST 2019

On 11/11/19, 5:40 PM, "users on behalf of Stopinski, Thomas Thaddäus" <users-bounces at on behalf of thstopinski at> wrote:

> What we keeping asking ourselves is, how is the SP supposed to know where to send me after a successful login?

The SP knows nothing about that second domain and must have no references to it, and no clients must ever talk to it. Reverse proxies *are* the app, full stop. That's the only URL that can be visible or used anyhere. All rules must be in terms of the external URL, all metadata, everything. Until you fix that, none of this will work.

-- Scott

More information about the users mailing list