[jira] [Commented] (CXF-7810) SAML Assertion Cookie persistence - configurable to not persist across browser restarts

Mon, 01 Oct 2018 11:12:30 -0700 


    [ 
https://issues.apache.org/jira/browse/CXF-7810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16634422#comment-16634422
 ] 

Ramprasad commented on CXF-7810:
--------------------------------

Hi,

Attached output log from our tomcat instance with log level set to FINE.
Seeing 'Response State has expired' and looping through saml requests and 
responses continuously. Response is valid -- just that it treats it somewhere 
as expired. Not sure why.
If you need to see any other log messages or if you want me to try something 
else, please let me know.

Thank you
Ramprasad

> SAML Assertion Cookie persistence - configurable to not persist across 
> browser restarts
> ---------------------------------------------------------------------------------------
>
>                 Key: CXF-7810
>                 URL: https://issues.apache.org/jira/browse/CXF-7810
>             Project: CXF
>          Issue Type: Test
>          Components: JAX-RS
>    Affects Versions: 3.2.1
>            Reporter: Ramprasad
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.2.7
>
>         Attachments: cxf-config.xml, output.txt
>
>
> In AbstractSSOSpHandler -> createCookie ->
> There is specific code to have cookie persist across browser restarts.
> Pasted Below: 
> ************
> // Keep the cookie across the browser restarts until it actually expires.
>         // Note that the Expires property has been deprecated but apparently 
> is
>         // supported better than 'max-age' property by different browsers
>         // (Firefox, IE, etc)
>         Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() + 
> stateTimeToLive);
>         String cookieExpires =
>             
> HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant()));
> contextCookie += ";Expires=" + cookieExpires;
> ************
> We are using Apache CXF for web sso to integrate with our IDP and have a 
> security issue with having the cookie persist when browser exits. Is there a 
> configuration or different way to remove cookie when the browser is closed? 
> Not all of our users will use logout to sign-off, they will just close the 
> browser.
> Please let me know.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to