Use HTTP verb in Service Provider request mapper

Cantor, Scott cantor.2 at
Thu Oct 21 12:56:19 UTC 2021

On 10/21/21, 8:51 AM, "users on behalf of Fabien BERTEAU" <users-bounces at on behalf of fabien.berteau at> wrote:

>    I thought I could avoid ECP in our SPAs by forcing the user to authenticate in order to download the SPA
> (classic SP initiated browser flow), then by embedding the SP session cookie during each call to a web service
> based on XMLHTTPRequest (same domain, so the browser should add it ?). Am I wrong ?

That might work (assuming you change the cookie properties to strip out HttpOnly), but only until it times out. Most of the time that falls apart later on because of the limitations of those Ajax requests and the error handling, but to be clear I didn't realize you meant you were making Ajax calls, I assumed it was just a web service.

-- Scott

More information about the users mailing list