_opensaml_req cookies

Cantor, Scott cantor.2 at osu.edu
Fri Jun 18 13:42:36 UTC 2021

On 6/18/21, 8:29 AM, "users on behalf of Jan Vilhuber" <users-bounces at shibboleth.net on behalf of JVilhuber at absolute.com> wrote:

>    Since these are session cookies and the lifetime isn’t set, I think it makes sense that they never go away (since
> I never close my browser). Is that correct?

No. Sending the expiration clears a cookie and happens on every completed login (fail or not, it happens during the response decoding step), and if it tries to install a 21st, to keep the limit. If you have 20, then you have 19 aborted logins that you never completed, and there's really not much it can do about that. 

The limit can be reduced iff the relayState is handled via cookie, which supports an embedded number of cookies to maintain.

>    What are these used for?

The ability to do request correlation and in turn block unsolicited responses.

I did consider making them persistent cookies, which would age them out more naturally, it's possible that's a wiser course for a fix.

-- Scott

More information about the users mailing list