ITS and UVa logos for printed output

NetBadge at UVA

How NetBadge Works

General Information about the NetBadge Service

The NetBadge Web single-signon (SSO) service uses Shibboleth as its underlying implementation technology. A NetBadge is a collection of HTTP cookies issued to your browser, which your browser saves in memory and automatically presents to UVA websites when necessary.

The Login Process

Each website that requires a NetBadge first sends you to the NetBadge login page to get proof of your identity. The first time this happens in a browser session, you must log in using your personal digital certificate or your UVA computing ID and password (or HSCS password).

When you log in successfully, the NetBadge service issues your browser a login cookie. The login cookie is valid for:

  • 9 hours, if you log in from anywhere on the UVA network (on Grounds or via UVaAnywhere), or
  • 1 hour if you log in from outside the network.

Thereafter, as long as your login cookie is valid, whenever a website sends you back to the NetBadge server for authentication, your browser presents this cookie as proof that you have already logged in and you do not need to do so again. In that case, NetBadge sends you straight back to the website that directed you there. This is so quick you may not even notice it.

Session Cookies

When you return from the NetBadge login page to the protected website with proof of your identity, the website issues you a session cookie, which gives you usually 8 hours of access to that website without any more trips to the NetBadge login page. (Session cookies can be configured for other time limits, but 8 hours is the default.)

During that time, whenever you visit the protected website, your browser presents the session cookie to identify you and you get right in. During a typical browser session, you will have one login cookie, and a session cookie for each protected website that you’ve visited during the session.

Note that each cookie has its own expiration time. Do not expect all of your NetBadge cookies to expire at the same time. For example, suppose your login cookie only has a few minutes left until it expires and you visit a protected website for the first time during this browser session. The website issues you a session cookie that is valid for 8 hours. After a few minutes your login cookie expires. However, your browser still has login-free access to the website for almost 8 more hours because that is how much time remains on the session cookie.

There is no easy way to get rid of all of your NetBadge cookies other than to exit your Web browser completely. If you are an advanced or “power user,” you might take advantage of the menu that most Web browsers provide for managing cookies. You can use the menu to delete them individually or all at once.

Why does NetBadge use cookies at all? They are for efficiency and for fault tolerance. Without session cookies, every request to a protected website would also require a trip to the NetBadge login page, placing a tremendous load on the login server and delaying requests to the site or application. Without the login cookie, every NetBadge Web service would require a new login, defeating the purpose of single-signon which is one login to access many web applications or services. Furthermore, if the login page ever went down, all access to protected websites would immediately cease. With session cookies, most visits to protected websites do not require trips to the NetBadge login page. If the login page goes down for some reason, people will still be able to access protected websites for which they have already gotten session cookies.

  Page Updated: Wednesday 2018-06-27 17:12:37 EDT