[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-dev
Subject:    RE: [Shib-Dev] Environment Variables vs. Request Headers
From:       "Jones, Mark B" <Mark.B.Jones () uth ! tmc ! edu>
Date:       2010-02-05 19:32:40
Message-ID: EC68ABCB48D09F4B96C3EEE6E32510EB0AAF395A91 () UTHCMS2 ! uthouston ! edu
[Download RAW message or body]


Thanks Scott and Paul.

Sounds like a fairly safe bet either way but technically less risk using
environment varialbles.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Friday, February 05, 2010 1:18 PM
To: shibboleth-dev@internet2.edu
Subject: RE: [Shib-Dev] Environment Variables vs. Request Headers

Jones, Mark B wrote on 2010-02-05:
> Why?

Headers are subject to spoofing attempts by the client and despite the many
pains the SP takes to prevent that, it's never going to be provably immune
to new ways of attacking it that might get around the protections,
particularly when there are bugs in the web server itself.

I welcome and encourage attempts to hack it, and believe it's quite
protected provided all the IIS caveats are observed, but environment
variables are always protected.
 
-- Scott



["smime.p7s" (application/x-pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]