[
https://issues.apache.org/jira/browse/CXF-7810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16637050#comment-16637050
]
Ramprasad commented on CXF-7810:
--------------------------------
Hi,
Since this is a snapshot version, we cannot deploy it to our prod environment
yet. Do you know when 3.2.7 stable release will be available for download? Who
can I reach out to find a possible release date for this?
Thank you
Ramprasad
> SAML Assertion Cookie persistence - configurable to not persist across
> browser restarts
> ---------------------------------------------------------------------------------------
>
> Key: CXF-7810
> URL: https://issues.apache.org/jira/browse/CXF-7810
> Project: CXF
> Issue Type: Test
> Components: JAX-RS
> Affects Versions: 3.2.1
> Reporter: Ramprasad
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 3.2.7
>
> Attachments: cxf-config.xml, output.txt
>
>
> In AbstractSSOSpHandler -> createCookie ->
> There is specific code to have cookie persist across browser restarts.
> Pasted Below:
> ************
> // Keep the cookie across the browser restarts until it actually expires.
> // Note that the Expires property has been deprecated but apparently
> is
> // supported better than 'max-age' property by different browsers
> // (Firefox, IE, etc)
> Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() +
> stateTimeToLive);
> String cookieExpires =
>
> HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant()));
> contextCookie += ";Expires=" + cookieExpires;
> ************
> We are using Apache CXF for web sso to integrate with our IDP and have a
> security issue with having the cookie persist when browser exits. Is there a
> configuration or different way to remove cookie when the browser is closed?
> Not all of our users will use logout to sign-off, they will just close the
> browser.
> Please let me know.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
