NetBadge at UVA
How NetBadge Works
General Information about the NetBadge Service
The NetBadge Web single-signon (SSO) service uses Shibboleth as its underlying implementation technology. A NetBadge is a collection of HTTP cookies issued to your browser, which your browser saves in memory and automatically presents to UVA websites when necessary.
The Login Process
Each website that requires a NetBadge first sends you to the NetBadge login page to get proof of your identity. The first time this happens in a browser session, you must log in using your personal digital certificate or your UVA computing ID and password (or HSCS password).
When you log in successfully, the NetBadge service issues your browser a login cookie. The login cookie is valid for:
- 9 hours, if you log in from anywhere on the UVA network (on Grounds or via UVaAnywhere), or
- 1 hour if you log in from outside the network.
Thereafter, as long as your login cookie is valid, whenever a website sends you back to the NetBadge server for authentication, your browser presents this cookie as proof that you have already logged in and you do not need to do so again. In that case, NetBadge sends you straight back to the website that directed you there. This is so quick you may not even notice it.
When you return from the NetBadge login page to the protected website with proof of your identity, the website issues you a session cookie, which gives you usually 8 hours of access to that website without any more trips to the NetBadge login page. (Session cookies can be configured for other time limits, but 8 hours is the default.)
During that time, whenever you visit the protected website, your browser presents the session cookie to identify you and you get right in. During a typical browser session, you will have one login cookie, and a session cookie for each protected website that you’ve visited during the session.
Note that each cookie has its own expiration time. Do not expect all of your NetBadge cookies to expire at the same time. For example, suppose your login cookie only has a few minutes left until it expires and you visit a protected website for the first time during this browser session. The website issues you a session cookie that is valid for 8 hours. After a few minutes your login cookie expires. However, your browser still has login-free access to the website for almost 8 more hours because that is how much time remains on the session cookie.
There is no easy way to get rid of all of your NetBadge cookies other than to exit your Web browser completely. If you are an advanced or “power user,” you might take advantage of the menu that most Web browsers provide for managing cookies. You can use the menu to delete them individually or all at once.