Ramprasad created CXF-7810:
------------------------------
Summary: SAML Assertion Cookie persistence - configurable to not
persist across browser restarts
Key: CXF-7810
URL: https://issues.apache.org/jira/browse/CXF-7810
Project: CXF
Issue Type: Test
Components: JAX-RS
Affects Versions: 3.2.1
Reporter: Ramprasad
In AbstractSSOSpHandler -> createCookie ->
There is specific code to have cookie persist across browser restarts.
Pasted Below:
************
// Keep the cookie across the browser restarts until it actually expires.
// Note that the Expires property has been deprecated but apparently is
// supported better than 'max-age' property by different browsers
// (Firefox, IE, etc)
Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() +
stateTimeToLive);
String cookieExpires =
HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant()));
contextCookie += ";Expires=" + cookieExpires;
************
We are using Apache CXF for web sso to integrate with our IDP and have a
security issue with having the cookie persist when browser exits. Is there a
configuration or different way to remove cookie when the browser is closed? Not
all of our users will use logout to sign-off, they will just close the browser.
Please let me know.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
