[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fwd: [security-services-comment] SAML 2.0 Identity Provider Discover Profile
---------- Forwarded message ---------- From: Tom Scavo <trscavo@gmail.com> Date: Sun, 31 Oct 2004 21:54:12 -0500 Subject: Re: [security-services-comment] SAML 2.0 Identity Provider Discover Profile To: Scott Cantor <cantor.2@osu.edu> Cc: SAML <security-services@lists.oasis-open.org> On Sun, 31 Oct 2004 21:40:33 -0500, Scott Cantor <cantor.2@osu.edu> wrote: > > > Section 4.3 of [SAMLProf] > > > > [lines 1066--1067] The phrase "[common-domain]" is not well defined. > > Suppose the common domain is CommonDomain.com. Then the Domain > > attribute of the cookie should be set to ".CommonDomain.com". RFC > > 2109 states that the Domain attribute "must always start with a dot." > > RFC 2965 (which obsoletes RFC 2109) states that if the Domain > > attribute "does not start with a dot, the user agent supplies a > > leading dot." It is safest, however, to explicitly include the dot. > > Have added a SHOULD to include a leading period. The RFCs seem to be in > practice meaningless, but a period does no harm. Note that the liberty spec does indeed include a literal period inside the double quotes. (Did this get lost in translation?) Note also that the setDomain method of the javax.servlet.http.Cookie class also requires a period. Cheers, Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]