OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL

Mihaylov, Dimitar wrote on 2009-04-08:
> Do you mean a single cookie or one for each request? In the first case
> you will get problems with parallel requests because the cookie might be
> overwritten before you get response from the IdP.

It's per request to deal with frames but otherwise it's not a major factor.
Frames themselves are generally passe anyway these days (mainly because
they're not accessible), so you rarely run into many race conditions most of
the time even with one cookie. I didn't even try to fix that until the last
year or so and it rarely came up.

> In the second case I think there will be problems with their cleanup.

Not that I've ever seen, you just clear it when the response comes in. It's
not the majority case that you send the user away and never get anything
back, or you have more problems than this one.

> If they are not
> reliably cleaned up you may lose some other cookies (even such as
> jsessionid, etc.) because of the limitation of 20 cookies per server.

Cookie limitations used to vary widely by browser, and 20 is just a minimum,
but this has never come up in our case to my knowledge, and AFAIK that's how
pretty much every SP works. I don't think I invented the idea. If I'm wrong,
so be it, I certainly see no reason to change my design.

As a practical matter, I think that most SPs ignore the 80 byte limit
anyway. I do that myself, I just happen to use cookies by default so it
doesn't matter much.
-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]