You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Ramprasad (JIRA)" <ji...@apache.org> on 2018/07/30 19:28:00 UTC

[jira] [Created] (CXF-7810) SAML Assertion Cookie persistence - configurable to not persist across browser restarts

Ramprasad created CXF-7810:
------------------------------

             Summary: SAML Assertion Cookie persistence - configurable to not persist across browser restarts
                 Key: CXF-7810
                 URL: https://issues.apache.org/jira/browse/CXF-7810
             Project: CXF
          Issue Type: Test
          Components: JAX-RS
    Affects Versions: 3.2.1
            Reporter: Ramprasad


In AbstractSSOSpHandler -> createCookie ->
There is specific code to have cookie persist across browser restarts.
Pasted Below: 
************
// Keep the cookie across the browser restarts until it actually expires.
        // Note that the Expires property has been deprecated but apparently is
        // supported better than 'max-age' property by different browsers
        // (Firefox, IE, etc)
        Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() + stateTimeToLive);
        String cookieExpires =
            HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant()));
contextCookie += ";Expires=" + cookieExpires;
************

We are using Apache CXF for web sso to integrate with our IDP and have a security issue with having the cookie persist when browser exits. Is there a configuration or different way to remove cookie when the browser is closed? Not all of our users will use logout to sign-off, they will just close the browser.

Please let me know.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)