[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Server-Side State and Stateful Sessions
[Scott] It guess it depends on the interpretation of "MUST invalidate session". One interpretation that I don't see a problem with is that you could remember the logout message and insure that any subsequent access by the cookie that corresponds to the session results in the session being invalidated, essentially a "delayed kill". [\Scott] The challenge here is that database lookup is now required *everytime* the user accesses a resource. Otherwise, we might unknowingly permit access even with an invalid session. To my knowledge, most commercial web access systems avoid this type of architecture as it is unlikely to scale under load. I do have to express my concern that the SAML 2.0 specification is mandating features that have yet to be proven to scale in deployments. I understand that there may be use-cases where the ability to cancel an arbitrary session or all of a user's sessions is extremely important. However, I am also suggesting that there are a wide-class of web access products that do not implement this functionality. In these systems, it is enough to cancel all of the sessions found in a single browser instance (vs. arbitrary named sessions or all sessions associated with a user). - prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]