_opensaml_req cookies

Jan Vilhuber JVilhuber at absolute.com
Fri Jun 18 12:29:27 UTC 2021

I noticed recently that my browser (which I never close) is sending 20 (I found the limit of 20 hardcoded in cpp-sp) of the _opensaml_req cookies with requests to my shib-3.1.0 SP (and really any later requests that flow through that same gateway).

I noticed when I log in (from the Shibbolet.sso/POST API), the SP sends me back one such as this:
  "_opensaml_req_ss:mc:72c1dde4746e3da50fdef4d9c46681853e205fb3fe085ee779cfe7ae6e567bbf": {
    "expires": "2001-01-01T00:00:00.000Z",
    "httpOnly": true,
    "path": "/",
    "samesite": "None",
    "secure": true,
    "value": ""
Since these are session cookies and the lifetime isn’t set, I think it makes sense that they never go away (since I never close my browser). Is that correct?

Would the ‘cookieLifetime’ (https://wiki.shibboleth.net/confluence/display/SP3/Sessions) affect these cookies and make them eventually expire and go away? Or does that only affect the _shibsession and possibly relay-state cookies?

What are these used for? I don’t use a shibboleth IDP, FWIW.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210618/8f43adec/attachment.htm>

More information about the users mailing list