You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Ramprasad (JIRA)" <ji...@apache.org> on 2018/10/01 18:12:00 UTC

[jira] [Commented] (CXF-7810) SAML Assertion Cookie persistence - configurable to not persist across browser restarts

    [ https://issues.apache.org/jira/browse/CXF-7810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16634422#comment-16634422 ] 

Ramprasad commented on CXF-7810:
--------------------------------

Hi,

Attached output log from our tomcat instance with log level set to FINE.
Seeing 'Response State has expired' and looping through saml requests and responses continuously. Response is valid -- just that it treats it somewhere as expired. Not sure why.
If you need to see any other log messages or if you want me to try something else, please let me know.

Thank you
Ramprasad

> SAML Assertion Cookie persistence - configurable to not persist across browser restarts
> ---------------------------------------------------------------------------------------
>
>                 Key: CXF-7810
>                 URL: https://issues.apache.org/jira/browse/CXF-7810
>             Project: CXF
>          Issue Type: Test
>          Components: JAX-RS
>    Affects Versions: 3.2.1
>            Reporter: Ramprasad
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.2.7
>
>         Attachments: cxf-config.xml, output.txt
>
>
> In AbstractSSOSpHandler -> createCookie ->
> There is specific code to have cookie persist across browser restarts.
> Pasted Below: 
> ************
> // Keep the cookie across the browser restarts until it actually expires.
>         // Note that the Expires property has been deprecated but apparently is
>         // supported better than 'max-age' property by different browsers
>         // (Firefox, IE, etc)
>         Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() + stateTimeToLive);
>         String cookieExpires =
>             HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant()));
> contextCookie += ";Expires=" + cookieExpires;
> ************
> We are using Apache CXF for web sso to integrate with our IDP and have a security issue with having the cookie persist when browser exits. Is there a configuration or different way to remove cookie when the browser is closed? Not all of our users will use logout to sign-off, they will just close the browser.
> Please let me know.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)