RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL

["Scott Cantor" <cantor.2@osu.edu>]

>> This will increase the risk of potential Denial of Service (DoS) attacks
>> because even without any authentication you store something in a session
>> or in a database, etc.

Another point, solely based on the original example/question, is that it's
also a bad idea to ever pass actual session ID material around to the IdP
and back anyway, especially in a redirect, since that gets logged all over.
That opens up the session back at the SP to lots of attack vectors, given
the stupidity of how most server-side sessions are implemented by
application servers. Lack of address checking, for example.

-- Scott