[jira] [Comment Edited] (CXF-7810) SAML Assertion Cookie persistence - configurable to not persist across browser restarts

[Ramprasad (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CXF-7810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629498#comment-16629498
 ] 

Ramprasad edited comment on CXF-7810 at 9/26/18 10:52 PM:
----------------------------------------------------------

Yes. We are using 3.2.7-SNAPSHOT

<dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-rs-security-sso-saml</artifactId>
        <version>3.2.7-SNAPSHOT</version>
</dependency>



was (Author: ranusuri):
Yes. We are using 3.27-SNAPSHOT

<dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-rs-security-sso-saml</artifactId>
        <version>3.2.7-SNAPSHOT</version>
</dependency>


> SAML Assertion Cookie persistence - configurable to not persist across 
> browser restarts
> ---------------------------------------------------------------------------------------
>
>                 Key: CXF-7810
>                 URL: https://issues.apache.org/jira/browse/CXF-7810
>             Project: CXF
>          Issue Type: Test
>          Components: JAX-RS
>    Affects Versions: 3.2.1
>            Reporter: Ramprasad
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.2.7
>
>         Attachments: cxf-config.xml
>
>
> In AbstractSSOSpHandler -> createCookie ->
> There is specific code to have cookie persist across browser restarts.
> Pasted Below: 
> ************
> // Keep the cookie across the browser restarts until it actually expires.
>         // Note that the Expires property has been deprecated but apparently 
> is
>         // supported better than 'max-age' property by different browsers
>         // (Firefox, IE, etc)
>         Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() + 
> stateTimeToLive);
>         String cookieExpires =
>             
> HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant()));
> contextCookie += ";Expires=" + cookieExpires;
> ************
> We are using Apache CXF for web sso to integrate with our IDP and have a 
> security issue with having the cookie persist when browser exits. Is there a 
> configuration or different way to remove cookie when the browser is closed? 
> Not all of our users will use logout to sign-off, they will just close the 
> browser.
> Please let me know.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)