web-security

simongray 2020-11-03T11:34:03.011900Z

Hi everyone. This is my plan for making a secure SAML login for the web service I’m building. If you see any red flags, please point them out: • enforce https • have the user go through the regular SAML authentication flow • upon succesful authentication, generate a session token and store it as a cookie (using ring session) • check for a valid session cookie for every request to any endpoints requiring authentication. If n/a send a forbidden response. • give every session token a relatively short time to live

simongray 2020-11-03T11:35:13.012300Z

Does this sound ok?