IdP's Session Cookie
Cantor, Scott
cantor.2 at osu.edu
Thu Nov 1 13:11:45 EDT 2012
On 11/1/12 11:25 AM, "Michael A Grady" <mgrady at unicon.net> wrote:
>
>Looks like the cookie causing problems (causing a user to be "remembered"
>when such isn't desired) is a JSESSIONID cookie, scoped to the External
>Authentication handler path. (The External Authn handler is what is being
>used in this case.) I am correct in my reading of the documentation that
>the authenticationDuration setting for a handler isn't supposed to matter
>if the PreviousSession handler is not activated -- is that indeed correct?
I believe so.
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthnSession
>
>Which would presumably put the External Authn "trigger code"
>(filter/servlet) at fault for this cookie and its use.
Yes, if there's a session between the client and non-IdP code, then it's
outside the IdP's control. I believe because it uses internal forwarding,
the IdP avoids use of the container session at the moment, but I'd have to
ask Chad if we need to confirm that.
Either way, we don't use that session for user-identity preservation for
sure.
-- Scott
More information about the users
mailing list