You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2018/08/14 15:23:00 UTC

[jira] [Commented] (CXF-7810) SAML Assertion Cookie persistence - configurable to not persist across browser restarts

    [ https://issues.apache.org/jira/browse/CXF-7810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16579951#comment-16579951 ] 

Colm O hEigeartaigh commented on CXF-7810:
------------------------------------------

What I've done for the next release is that if you specify "stateTimeToLive=0" for the AbstractRequestAssertionConsumerHandler, then no Expiry is set on the Cookie. Therefore it won't expire as long as the browser is open, but when the browser is closed then the cookie is removed.

Here is the commit if you want to make the changes locally:

https://github.com/apache/cxf/commit/f4f4075ddcadc7dddc9c887a94776e022b00677f

> SAML Assertion Cookie persistence - configurable to not persist across browser restarts
> ---------------------------------------------------------------------------------------
>
>                 Key: CXF-7810
>                 URL: https://issues.apache.org/jira/browse/CXF-7810
>             Project: CXF
>          Issue Type: Test
>          Components: JAX-RS
>    Affects Versions: 3.2.1
>            Reporter: Ramprasad
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.2.7
>
>
> In AbstractSSOSpHandler -> createCookie ->
> There is specific code to have cookie persist across browser restarts.
> Pasted Below: 
> ************
> // Keep the cookie across the browser restarts until it actually expires.
>         // Note that the Expires property has been deprecated but apparently is
>         // supported better than 'max-age' property by different browsers
>         // (Firefox, IE, etc)
>         Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() + stateTimeToLive);
>         String cookieExpires =
>             HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant()));
> contextCookie += ";Expires=" + cookieExpires;
> ************
> We are using Apache CXF for web sso to integrate with our IDP and have a security issue with having the cookie persist when browser exits. Is there a configuration or different way to remove cookie when the browser is closed? Not all of our users will use logout to sign-off, they will just close the browser.
> Please let me know.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)