[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL
Mihaylov, Dimitar wrote on 2009-04-08: > Do you mean a single cookie or one for each request? In the first case > you will get problems with parallel requests because the cookie might be > overwritten before you get response from the IdP. It's per request to deal with frames but otherwise it's not a major factor. Frames themselves are generally passe anyway these days (mainly because they're not accessible), so you rarely run into many race conditions most of the time even with one cookie. I didn't even try to fix that until the last year or so and it rarely came up. > In the second case I think there will be problems with their cleanup. Not that I've ever seen, you just clear it when the response comes in. It's not the majority case that you send the user away and never get anything back, or you have more problems than this one. > If they are not > reliably cleaned up you may lose some other cookies (even such as > jsessionid, etc.) because of the limitation of 20 cookies per server. Cookie limitations used to vary widely by browser, and 20 is just a minimum, but this has never come up in our case to my knowledge, and AFAIK that's how pretty much every SP works. I don't think I invented the idea. If I'm wrong, so be it, I certainly see no reason to change my design. As a practical matter, I think that most SPs ignore the 80 byte limit anyway. I do that myself, I just happen to use cookies by default so it doesn't matter much. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]