[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Server-Side State and Stateful Sessions
This message is a primarily a call for discussion on implementation requirements of the Single Logout Protocol (Section 3.7) of the SAML 2.0 core and protocols specification. BACKGROUND: ------------ Most web security systems maintain user session state via cookies (client-side state). Cookies may be secured (encrypted and authenticated). Further, with each user access, cookies may be reconstituted and kept uptodate with session details etc. Policies may be applied at PEPs for maximum session lifetimes, session time-outs etc. QUESTION ----------- The text in Section 3.7.3 suggests that to me that this type of implementation cannot implement SLO semantics. In particular, it seems to me that each and every access by a user would require lookup in a session table shared between all PEPs. In this way, when a session cookie linked to specific <saml:NameID>'s and <SessionIndex> elements is presented by the user, it can be invalidated. Am I missing something here? - prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]