OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Server-Side State and Stateful Sessions

It guess it depends on the interpretation of "MUST invalidate session". One
interpretation that I don't see a problem with is that you could remember
the logout message and insure that any subsequent access by the cookie that
corresponds to the session results in the session being invalidated,
essentially a "delayed kill".

I think "invalidate" has to be read in the context of what the
implementation of the session is. If it's solely a cookie, then insuring the
next access by that cookie does not resume the session constitutes

Of course, the motivation behind using only the cookie is avoiding shared
state between the servers. And remembering the logout request requires
shared state between the servers. I don't see any way around that. The
problem is that not having the back-channel makes people nervous, as John K.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]