SP cookie bloat
Cantor, Scott
cantor.2 at osu.edu
Mon Oct 24 14:20:17 UTC 2022
Actually, even more on point, I just verified that in fact the code is doing the cleanup of both relay state and the request correlation cookies in the same spot, whenever the SP initiates a request for a session. It's a second cleanup step as a fallback.
So aside from the flooding issue due to the limit being hardwired to 20 (and as always, those scenarios mean you MUST use passive session protection and handle timeouts yourself), I don't see any obvious reason they would accumulate beyond that number, even if people abort logins.
I'll give it a test, but I don't think it behaves the way people have claimed unless there's a bug somewhere.
-- Scott
More information about the users
mailing list