OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Server-Side State and Stateful Sessions

This message is a primarily a call for discussion on implementation
requirements of the Single Logout Protocol (Section 3.7) of the SAML 2.0
core and protocols specification.

Most web security systems maintain user session state via cookies
(client-side state). Cookies may be secured (encrypted and authenticated).
Further, with each user access, cookies may be reconstituted and kept
uptodate with session details etc. Policies may be applied at PEPs for
maximum session lifetimes, session time-outs etc.

The text in Section 3.7.3 suggests that to me that this type of
implementation cannot implement SLO semantics. In particular, it seems to me
that each and every access by a user would require lookup in a session table
shared between all PEPs. In this way, when a session cookie linked to
specific <saml:NameID>'s and <SessionIndex> elements is presented by the
user, it can be invalidated.

Am I missing something here?

- prateek

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]