Need to modify AuthnContextClassRef in ExternalAuth

Cantor, Scott cantor.2 at
Tue Dec 22 13:27:13 EST 2015

On 12/22/15, 12:06 PM, "users on behalf of Stefan Santesson" <users-bounces at on behalf of stefan at> wrote:

>I actually got a slightly different result on this go, using enriched logs. Here is the relevant log data:

That all matches, save for the part I can't explain.

There's no reason I can think of that having a stale IdP session cookie would cause any problems, but I will reproduce that case.

>I can’t find neither the word JSESSIONID nor the JSESSIONID value in the log. Should ?

No, though I believe it can be added with some kind of MDC variable.

>However, I’m pretty sure the JSESSIONID is reaching the server, or else, also server side storage would fail, and that works.

Well, it wouldn't have any impact on storage, but it should break Spring Web Flow entirely and it would never be able to complete a request.

There has to be some edge case here I'm not seeing, but if it's as egregious as just a stale cookie, I don't know how that could have been missed.

-- Scott


More information about the users mailing list