IdP's Session Cookie
Michael A Grady
mgrady at unicon.net
Thu Nov 1 11:25:36 EDT 2012
On Nov 1, 2012, at 9:02 AM, Cantor, Scott wrote:
> On 11/1/12 9:14 AM, "Paul Hethmon" <paul.hethmon at clareitysecurity.com>
> wrote:
>>
>> I'm pretty sure that session cookie is set regardless of the
>> PreviousSession handler being there or not. Even if session time is set to
>> 0, I think it gets set. It's just immediately invalid.
>
> Yes, the handler has nothing to do with the cookie being set.
Thanks.
Looks like the cookie causing problems (causing a user to be "remembered" when such isn't desired) is a JSESSIONID cookie, scoped to the External Authentication handler path. (The External Authn handler is what is being used in this case.) I am correct in my reading of the documentation that the authenticationDuration setting for a handler isn't supposed to matter if the PreviousSession handler is not activated -- is that indeed correct?
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthnSession
Which would presumably put the External Authn "trigger code" (filter/servlet) at fault for this cookie and its use.
>
> -- Scott
>
--
Michael A. Grady
Senior IAM Consultant, Unicon, Inc.
More information about the users
mailing list