RelyParty redirect URL

Cantor, Scott cantor.2 at
Thu Jul 2 16:55:49 UTC 2020

On 7/2/20, 12:41 PM, "users on behalf of Joseph Fischetti" <users-bounces at on behalf of Joseph.Fischetti at> wrote:

> Is it terrible security practice to use it in a url parameter, or pass it to an SP?  (I just want to understand the statement)

Both, but passing it to another party is particularly bad.

> I'm following the same model that Christopher Bongaarts proposed (which is how they've implemented their password
> reset mechanism).  In their case, the "attribute = 0 | 1" is their "password = valid | invalid", and once they send the user
> to the password update mechanism, they're passed back to the IdP to continue on to their original target SP.

I'm not specifically reviewing what you're doing, that's not something I have time to do, this is why too involved for me to get into.

I'm just explaining that doing this doesn't fix anything for technical reasons. It's just a function of how Java sessions work. Passing it on the URL can only matter in the case where the session is still around but the cookie's not being sent back. And I doubt that's the problem absent frames, or I suppose SameSite if Chrome rolled out their change.

Generally speaking you cannot expect a long lived interstitial process to work reliably, at least without extending the container's session timeout default beyond 30 minutes. If that's not the problem, then you have a cookie problem and fixing that problem is the solution.

-- Scott

More information about the users mailing list