[jira] [Commented] (CXF-7810) SAML Assertion Cookie persistence - configurable to not persist across browser restarts

Wed, 26 Sep 2018 10:52:11 -0700 


    [ 
https://issues.apache.org/jira/browse/CXF-7810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629196#comment-16629196
 ] 

Ramprasad commented on CXF-7810:
--------------------------------

Hi,

Attached our current configuration we use. Setting stateTimeToLive to 0 is 
throwing error that 'WARNING: Request State has expired'
If the value is set to non-zero in redirect filter, during saml response 
validation -> getting 'WARNING: Response State has expired'

Would you help me how to address this? 
If this is not a better form to discuss or debug, please let me know

Thank you
Ramprasad

> SAML Assertion Cookie persistence - configurable to not persist across 
> browser restarts
> ---------------------------------------------------------------------------------------
>
>                 Key: CXF-7810
>                 URL: https://issues.apache.org/jira/browse/CXF-7810
>             Project: CXF
>          Issue Type: Test
>          Components: JAX-RS
>    Affects Versions: 3.2.1
>            Reporter: Ramprasad
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.2.7
>
>         Attachments: cxf-config.xml
>
>
> In AbstractSSOSpHandler -> createCookie ->
> There is specific code to have cookie persist across browser restarts.
> Pasted Below: 
> ************
> // Keep the cookie across the browser restarts until it actually expires.
>         // Note that the Expires property has been deprecated but apparently 
> is
>         // supported better than 'max-age' property by different browsers
>         // (Firefox, IE, etc)
>         Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() + 
> stateTimeToLive);
>         String cookieExpires =
>             
> HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant()));
> contextCookie += ";Expires=" + cookieExpires;
> ************
> We are using Apache CXF for web sso to integrate with our IDP and have a 
> security issue with having the cookie persist when browser exits. Is there a 
> configuration or different way to remove cookie when the browser is closed? 
> Not all of our users will use logout to sign-off, they will just close the 
> browser.
> Please let me know.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to