[ https://issues.apache.org/jira/browse/CXF-7810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16589306#comment-16589306 ]
Ramprasad commented on CXF-7810: -------------------------------- Hi, Do you know when the version 3.2.7 will be available for download through maven? Trying to get that and test our application. Thank you > SAML Assertion Cookie persistence - configurable to not persist across > browser restarts > --------------------------------------------------------------------------------------- > > Key: CXF-7810 > URL: https://issues.apache.org/jira/browse/CXF-7810 > Project: CXF > Issue Type: Test > Components: JAX-RS > Affects Versions: 3.2.1 > Reporter: Ramprasad > Assignee: Colm O hEigeartaigh > Priority: Major > Fix For: 3.2.7 > > > In AbstractSSOSpHandler -> createCookie -> > There is specific code to have cookie persist across browser restarts. > Pasted Below: > ************ > // Keep the cookie across the browser restarts until it actually expires. > // Note that the Expires property has been deprecated but apparently > is > // supported better than 'max-age' property by different browsers > // (Firefox, IE, etc) > Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() + > stateTimeToLive); > String cookieExpires = > > HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant())); > contextCookie += ";Expires=" + cookieExpires; > ************ > We are using Apache CXF for web sso to integrate with our IDP and have a > security issue with having the cookie persist when browser exits. Is there a > configuration or different way to remove cookie when the browser is closed? > Not all of our users will use logout to sign-off, they will just close the > browser. > Please let me know. -- This message was sent by Atlassian JIRA (v7.6.3#76005)