JSESSIONID issues, Stale Session. (SameSite issue?)

mat houser mhouser at uwm.edu
Thu Jan 20 17:53:35 UTC 2022

If it's happening mostly with Firefox, the latest update changed
network.cookie.sameSite.laxByDefault to true, which is breaking a lot of
our Firefox users.

mhouser at uwm.edu

On Thu, 20 Jan 2022, Etan Weintraub via users wrote:

We just started having the issue appear significantly yesterday, and have
been trying to track down what the cause is or how we can fix it, and we
literally just identified it as a jsessionID issue about an hour ago.

Scott- Is there a way for us to fix this on our side, or are we just
completely hosed and need to not use SAML Proxy Auth?

-Etan E. Weintraub
IT Architect
Enterprise Authentication & Cloud Workspace
IT at Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Davis Building Suite 3110B
Baltimore, MD 21209
E-mail: eweintra at jhmi.edu
Pronouns: he, him, his

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Thursday, January 20, 2022 11:50 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: JSESSIONID issues, Stale Session. (SameSite issue?)

      External Email - Use Caution

The SameSite page contains this text that needs to be more prominent:

"It is also likely that SAML proxying will be affected by this issue,
because the POST back to the IdP from the proxied IdP will omit the
necessary cookies to resume the flow, resulting in the "stale request"

It's not "likely", it's fact. The IdP will not function unless the original
JSESSIONID is delivered back with the SAML POST intact.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net

More information about the users mailing list