You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
- the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
- in that case. Note that while we default checkAddress to "false", this has a negative
- impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+ the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+ Note that while we default checkAddress to "false", this has a negative impact on the
+ security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
- handlerURL="/Shibboleth.sso" handlerSSL="false" relayState="ss:mem"
+ handlerURL="/Shibboleth.sso" handlerSSL="false" cookieProps="http" relayState="ss:mem"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
- entityID="https://idp.example.org/shibboleth">
+ entityID="https://idp.example.org/idp/shibboleth">
<SessionInitiator type="SAML2" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1"/>
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
- the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
- in that case. Note that while we default checkAddress to "false", this has a negative
- impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+ the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+ Note that while we default checkAddress to "false", this has a negative impact on the
+ security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
- <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
+ <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+ checkAddress="false" handlerSSL="false" cookieProps="http">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
- <SSO entityID="https://idp.example.org/shibboleth"
+ <SSO entityID="https://idp.example.org/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
- the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
- in that case. Note that while we default checkAddress to "false", this has a negative
- impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+ the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+ Note that while we default checkAddress to "false", this has a negative impact on the
+ security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
- <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
+ <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+ checkAddress="false" handlerSSL="false" cookieProps="http">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
- <SSO entityID="https://idp.example.org/shibboleth"
+ <SSO entityID="https://idp.example.org/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
pair<string,const char*> Application::getCookieNameProps(const char* prefix, time_t* lifetime) const
{
static const char* defProps="; path=/; HttpOnly";
+ static const char* sslProps="; path=/; secure; HttpOnly";
if (lifetime)
*lifetime = 0;
if (!prefix)
prefix = "";
- const PropertySet* props=getPropertySet("Sessions");
+ const PropertySet* props = getPropertySet("Sessions");
if (props) {
if (lifetime) {
pair<bool,unsigned int> lt = props->getUnsignedInt("cookieLifetime");
if (lt.first)
*lifetime = lt.second;
}
- pair<bool,const char*> p=props->getString("cookieProps");
- if (!p.first)
- p.second=defProps;
- pair<bool,const char*> p2=props->getString("cookieName");
+ pair<bool,const char*> p = props->getString("cookieProps");
+ if (!p.first || !strcmp(p.second, "http"))
+ p.second = defProps;
+ else if (!strcmp(p.second, "https"))
+ p.second = sslProps;
+ pair<bool,const char*> p2 = props->getString("cookieName");
if (p2.first)
return make_pair(string(prefix) + p2.second, p.second);
return make_pair(string(prefix) + getHash(), p.second);
) const
{
static const char* defProps="; path=/";
+ static const char* sslProps="; path=/; secure";
- const PropertySet* sessionProps=application.getPropertySet("Sessions");
- pair<bool,bool> idpHistory=sessionProps->getBool("idpHistory");
+ const PropertySet* sessionProps = application.getPropertySet("Sessions");
+ pair<bool,bool> idpHistory = sessionProps->getBool("idpHistory");
if (idpHistory.first && idpHistory.second) {
- pair<bool,const char*> cookieProps=sessionProps->getString("idpHistoryProps");
+ pair<bool,const char*> cookieProps = sessionProps->getString("idpHistoryProps");
if (!cookieProps.first)
- cookieProps=sessionProps->getString("cookieProps");
- if (!cookieProps.first)
- cookieProps.second=defProps;
+ cookieProps = sessionProps->getString("cookieProps");
+ if (!cookieProps.first || !strcmp(cookieProps.second, "http"))
+ cookieProps.second = defProps;
+ else if (!strcmp(cookieProps.second, "https"))
+ cookieProps.second = sslProps;
// Set an IdP history cookie locally (essentially just a CDC).
CommonDomainCookie cdc(request.getCookie(CommonDomainCookie::CDCName));
// Either leave in memory or set an expiration.
- pair<bool,unsigned int> days=sessionProps->getUnsignedInt("idpHistoryDays");
- if (!days.first || days.second==0) {
+ pair<bool,unsigned int> days = sessionProps->getUnsignedInt("idpHistoryDays");
+ if (!days.first || days.second == 0) {
string c = string(cdc.set(entityID)) + cookieProps.second;
response.setCookie(CommonDomainCookie::CDCName, c.c_str());
}
else {
- time_t now=time(nullptr) + (days.second * 24 * 60 * 60);
+ time_t now = time(nullptr) + (days.second * 24 * 60 * 60);
#ifdef HAVE_GMTIME_R
struct tm res;
- struct tm* ptime=gmtime_r(&now,&res);
+ struct tm* ptime = gmtime_r(&now,&res);
#else
- struct tm* ptime=gmtime(&now);
+ struct tm* ptime = gmtime(&now);
#endif
char timebuf[64];
- strftime(timebuf,64,"%a, %d %b %Y %H:%M:%S GMT",ptime);
+ strftime(timebuf,64,"%a, %d %b %Y %H:%M:%S GMT", ptime);
string c = string(cdc.set(entityID)) + cookieProps.second + "; expires=" + timebuf;
response.setCookie(CommonDomainCookie::CDCName, c.c_str());
}