You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
- the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+ the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
- the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+ the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
- the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+ the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
pair<string,const char*> Application::getCookieNameProps(const char* prefix, time_t* lifetime) const
{
- static const char* defProps="; path=/";
+ static const char* defProps="; path=/; HttpOnly";
if (lifetime)
*lifetime = 0;
pair<bool,bool> idpHistory=sessionProps->getBool("idpHistory");
if (idpHistory.first && idpHistory.second) {
- pair<bool,const char*> cookieProps=sessionProps->getString("cookieProps");
+ pair<bool,const char*> cookieProps=sessionProps->getString("idpHistoryProps");
+ if (!cookieProps.first)
+ cookieProps=sessionProps->getString("cookieProps");
if (!cookieProps.first)
cookieProps.second=defProps;