IdP's Session Cookie

Michael A Grady mgrady at
Thu Nov 1 11:25:36 EDT 2012

On Nov 1, 2012, at 9:02 AM, Cantor, Scott wrote:

> On 11/1/12 9:14 AM, "Paul Hethmon" <paul.hethmon at>
> wrote:
>> I'm pretty sure that session cookie is set regardless of the
>> PreviousSession handler being there or not. Even if session time is set to
>> 0, I think it gets set. It's just immediately invalid.
> Yes, the handler has nothing to do with the cookie being set.


Looks like the cookie causing problems (causing a user to be "remembered" when such isn't desired) is a JSESSIONID cookie, scoped to the External Authentication handler path. (The External Authn handler is what is being used in this case.) I am correct in my reading of the documentation that the authenticationDuration setting for a handler isn't supposed to matter if the PreviousSession handler is not activated -- is that indeed correct?

Which would presumably put the External Authn "trigger code" (filter/servlet) at fault for this cookie and its use.

> -- Scott

Michael A. Grady
Senior IAM Consultant, Unicon, Inc.

More information about the users mailing list