On Nov 27, 2012, at 7:49 PM, Chris Hecker <chec...@d6.com> wrote: >> Some care would be needed here. The user will be redirected to the >> central weblogin server for the ticket renewal. > > Ah, yeah, I don't think POSTs can live across redirects. This would > have to happen before the redirect on the initial apache handling of the > request, completely under the hood. Is there something preventing that > from working?
I think what you're proposing is just that an attempt to use a service cookie expired in the near past would extend the lifetime of the login session for some period, and you would use the backchannel connection from mod_cosign to cosignd to accomplish this. At the protocol level, a CHECK of an expired service cookie with cosignd would, assuming the service has permission to renew the session, cause cosignd to push forward the expire time of the login cookie, or otherwise mark the login cookie in some way so that the service cookie is good for another period of time. That's a pretty straightforward patch, and it might reduce the frequency of POST errors for expired sessions, at least until the renewal limit is hit. There are a lot of potential side effects to consider, though. In a crude form of this patch, use of an expired service cookie for a renewable service extends login session lifetime, and therefore all other service cookies. There'd probably need to be some way to set policy here (you've focused on using the TGT stored at authentication time), since there are a lot of possible side effects. andrew ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss