RE: [security-services] Server-Side State and Stateful Sessions

["Mishra, Prateek" <pmishra@netegrity.com>]

[Scott]
It guess it depends on the interpretation of "MUST invalidate session". One
interpretation that I don't see a problem with is that you could remember
the logout message and insure that any subsequent access by the cookie that
corresponds to the session results in the session being invalidated,
essentially a "delayed kill".
[\Scott]

The challenge here is that database lookup is now required *everytime* the
user accesses a resource. Otherwise, we might unknowingly permit access even
with an invalid session. 

To my knowledge, most commercial web access systems avoid this type of
architecture as it is unlikely to scale under load. I do have to express my
concern that the SAML 2.0 specification is mandating features that have yet
to be proven to scale in deployments.


I understand that there may be use-cases where the ability to cancel an
arbitrary session or all of a user's sessions is extremely important.
However, I am also suggesting that there are a wide-class of web access
products that do not implement this functionality. In these systems, it is
enough to cancel all of the sessions found in a single browser instance (vs.
arbitrary named sessions or all sessions associated with a user).


- prateek