Use HTTP verb in Service Provider request mapper
cantor.2 at osu.edu
Thu Oct 21 12:56:19 UTC 2021
On 10/21/21, 8:51 AM, "users on behalf of Fabien BERTEAU" <users-bounces at shibboleth.net on behalf of fabien.berteau at manomano.com> wrote:
> I thought I could avoid ECP in our SPAs by forcing the user to authenticate in order to download the SPA
> (classic SP initiated browser flow), then by embedding the SP session cookie during each call to a web service
> based on XMLHTTPRequest (same domain, so the browser should add it ?). Am I wrong ?
That might work (assuming you change the cookie properties to strip out HttpOnly), but only until it times out. Most of the time that falls apart later on because of the limitations of those Ajax requests and the error handling, but to be clear I didn't realize you meant you were making Ajax calls, I assumed it was just a web service.
More information about the users