SP cookie bloat

Cantor, Scott cantor.2 at osu.edu
Mon Oct 24 14:20:17 UTC 2022

Actually, even more on point, I just verified that in fact the code is doing the cleanup of both relay state and the request correlation cookies in the same spot, whenever the SP initiates a request for a session. It's a second cleanup step as a fallback.

So aside from the flooding issue due to the limit being hardwired to 20 (and as always, those scenarios mean you MUST use passive session protection and handle timeouts yourself), I don't see any obvious reason they would accumulate beyond that number, even if people abort logins.

I'll give it a test, but I don't think it behaves the way people have claimed unless there's a bug somewhere.

-- Scott

More information about the users mailing list