The <InProcess> element contains settings governing the portion of the SP that runs inside the web server. It also includes content specific to particular web servers that supply an inadequate native configuration mechanism. On version 2.4 and above, it is required for IIS usage, optional otherwise.

<InProcess logger="native.logger" checkSpoofing="true">
        <Library path="" fatal="true"/>



When omitted, the default attribute values below are used, no extensions are loaded, and no IIS configuration information is supplied.


When using Apache, strongly consider porting applications to rely on environment variables in place of headers.

If this is not possible, the checkSpoofing feature should be enabled. Server-side redirects, aliasing, and modules like mod_rewrite tend to cause false alarms because the SP detects headers that it itself has already created. To prevent this, the spoofKey setting enables a special header as a way of detecting whether the headers being examined came from the SP or the client. The idea is to make it difficult for a client to guess this value and spoof the key, which then bypasses the spoof detection code.

On the Windows/IIS platform, a random key is automatically generated to ensure the detection feature works safely. On other platforms, you need to establish the spoofKey setting yourself. It should contain a suitably long, random value, and you <strong>MUST</strong> prevent the client from accessing any server-side scripts that might expose the key value through a dump of arbitrary request headers.

Child Elements