[CXF-7810] SAML Assertion Cookie persistence - configurable to not persist across browser restarts - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Test
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.2.1
Fix Version/s: 3.2.7
Component/s: JAX-RS
Labels:
None

Estimated Complexity:
Unknown

Description

In AbstractSSOSpHandler -> createCookie ->
There is specific code to have cookie persist across browser restarts.
Pasted Below:
************
// Keep the cookie across the browser restarts until it actually expires.
// Note that the Expires property has been deprecated but apparently is
// supported better than 'max-age' property by different browsers
// (Firefox, IE, etc)
Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() + stateTimeToLive);
String cookieExpires =
HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant()));
contextCookie += ";Expires=" + cookieExpires;
************

We are using Apache CXF for web sso to integrate with our IDP and have a security issue with having the cookie persist when browser exits. Is there a configuration or different way to remove cookie when the browser is closed? Not all of our users will use logout to sign-off, they will just close the browser.

Please let me know.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

output.txt
01/Oct/18 18:10
26 kB
Ramprasad
cxf-config.xml
26/Sep/18 17:48
2 kB
Ramprasad

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Ramprasad

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 30/Jul/18 19:27

Updated:: 30/Oct/18 10:05

Resolved:: 14/Aug/18 15:22