As far as I understand there are two ways to get Shibboleth attributes:
In the later case, how can I make them available to the application? Even if I catch them once and try to inject them in the server environment with putenv(), it will only be for the duration of the current request. I could load them in the session, but it just doesn't feel right.
If they went into the server's environment, then every user's values would overwrite everyone else's on every request. That's why there's sessions, to store per-user persistent data. Of course, you could have the server reinject on every request, into just the child/thread's environment for that particular request, but unless the values are changing each time, why not just put them in the session to begin with?
As well, in a multiple worker environment (like Apache's pre-fork), unless you somehow injected the variable into the parent process (the one that runs as root), you'd only be able to affect the one child. There's no guarantee that the next request will be processed by the same child. And even better, even if you injected the parent root-flagged process, the children wouldn't inherit that new environment until they naturally are shut down and the root parent forks a fresh child.