Daniel Lutz daniel.lutz at switch.ch
Thu Jun 18 09:33:32 UTC 2020

Martin Haase schrieb/wrote (18.06.20 09:36):
> we noticed that the SPNEGO autologin cookie name in user-prefs.vm is
> "_idp_spnego_autologin", whereas the Wiki still had idp_krb_enabled. Any
> objections to have it changed?

Thanks for the contribution.

The meaning of this cookie is not the same as the "auto-login" cookie.
Unfortunately, the example doesn't clarify this.

I've just added a clarifying comment to the example on the V4 page, including
an example for user-prefs.vm:

The origin of this example is the implementation of the "Kerberos Login Handler"
for the V2 IdP. That one supported enabling/disabling or showing/hiding the
SPNEGO login via the user interface. We decided not to implement this feature
in the new implementation for V3/V4, but let the deployer configure whatever
is required for the organisation. (But "auto-login" is a built-in feature
of the flow.)

> Furthermore, SPNEGOAutoLoginManager.java still uses another cookie name,
> "_shib_idp_SPNEGO_enable_autologin". Could we also switch to this one,
> adding a note in the Wiki that user-prefs.vm better had
> _shib_idp_SPNEGO_enable_autologin? Or is there a functional difference?

SPNEGOAutoLoginManager.java actually uses the cookie name "_idp_spnego_autologin"
The value "_shib_idp_SPNEGO_enable_autologin" is a form parameter used in
the SPNEGO login flow. If the corresponding checkbox is enabled on the login
page, the flow will set the cookie "_idp_spnego_autologin" (only) if the
SPNEGO login was successful.


More information about the users mailing list