IdP's Session Cookie

Cantor, Scott cantor.2 at
Thu Nov 1 13:11:45 EDT 2012

On 11/1/12 11:25 AM, "Michael A Grady" <mgrady at> wrote:
>Looks like the cookie causing problems (causing a user to be "remembered"
>when such isn't desired) is a JSESSIONID cookie, scoped to the External
>Authentication handler path. (The External Authn handler is what is being
>used in this case.) I am correct in my reading of the documentation that
>the authenticationDuration setting for a handler isn't supposed to matter
>if the PreviousSession handler is not activated -- is that indeed correct?

I believe so.

>Which would presumably put the External Authn "trigger code"
>(filter/servlet) at fault for this cookie and its use.

Yes, if there's a session between the client and non-IdP code, then it's
outside the IdP's control. I believe because it uses internal forwarding,
the IdP avoids use of the container session at the moment, but I'd have to
ask Chad if we need to confirm that.

Either way, we don't use that session for user-identity preservation for

-- Scott

More information about the users mailing list