NetID Login Service - Importance of Secure Cookies
For Shibboleth to provide secure authentication, users must be required to communicate with the application server and the login server over an encrypted connection, so that user-specific data is not passed over the internet in plain text. There are just a couple steps to requiring an encrypted connection for all Shibboleth traffic:
Force SSL on all Paths
Any path you define as requiring Shibboleth authentication should be accessible only over SSL.
On a Windows server, you can accomplish this by adding the redirectToSSL="443" attribute to all Path elements in the RequestMap of your shibboleth2.xml (NetID Login Service - Requiring Shibboleth Authentication). If you're using a port other than 443 for SSL, use that value instead. (Note that to configure Shibboleth to use a non-standard SSL port, the port number and scheme "https" must be specified in the Host element.)
In Apache, you can force SSL in a variety of ways using native functionality.
You can use the cookieprops attribute in the Sessions element of your shibboleth2.xml to limit cookie use to requests made over SSL. To do this, you add cookieProps="; path=/; secure; HttpOnly" to your Sessions element and set handlerSSL="true".
Example Sessions element using cookieprops:
<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/Shibboleth.sso" handlerSSL="true"
cookieProps="; path=/; secure
; HttpOnly" exportLocation="localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"