[shib_auth] HTTPS vs HTTP Help ASAP.
Kristof Bajnok
bajnokk at niif.hu
Wed Jun 29 07:14:35 CEST 2011
On 2011. June 28. 20:39:43 Luke Cameron wrote:
> have setup the SP like normal with HTTPS enabled, but the web developer
> wants them to login to Shib over HTTPS then redirect them back to HTTP but
> when I try this in a test environment it wont work it shows them logged
> out again.
This is most probably because your Shibboleth SP does not protect the
unencrypted HTTP requests. Look for 'handlerSSL' parameter in shibboleth.xml.
According to
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions , this
setting defaults to true, so you have to disable it.
> Can some confirm this is correct or a way of doing what the web
> developer wants to do.
From the security point of view, it undoubtedly weakens the protection. Then
the session cookie is transmitted unencryptedly, so anybody underway may see
it. However, Shibboleth has the 'consistentAddress' checking, which only
allows cookies originating from the same (consistent) IP address, so an
attacker must also forge the IP address to steal the user's session.
Kristof
More information about the shib_auth
mailing list