Hi, San. >How can I make the cookie "session_id" non-persistent? Could you elaborate? What do you understand by "non-persistent"? You don't want a user to have session at Gluu, so that they would be asked for credentials each time they are redirected there? Gluu was built around idea of providing SSO experience to users in the first place, so it undermines it's purpose a bit.

hi, Thank you for your reply, please allow me to describe in point form: a. about persistent cookies --------------------------- I am referring to session vs persistent cookie, as described in this link: https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117925-technote-csc-00.html basically session cookies get discarded when browser is closed. b. Issue that we are facing --------------------------- On gluu saml server version 2.4.4, user login to our site via saml (gluu server), when browser is closed and launched again to access our site, user login is **required** now we upgraded to gluu version 3.1.1, user login to our site via saml (gluu server), when browser is closed and launched again to access our site, user login is **granted** by the gluu server automatically (without the need for user to enter password) we would like to retain the behavior of gluu saml server 2.4.4, because user sometime simply close the browser instead of doing a proper logout, and our site contain sensitive information. Thanks and appreciate your time and help, cheers.

Hi, San. It turns out you are right and some cookies' expiration method has been changed in 3.x. [Enhancement proposal](https://github.com/GluuFederation/oxAuth/issues/745) was filed for it to be customizable feature, but no ETA or guarantees it will be adopted atm. Currently, I can only suggest you to try to emulate previous behaviour using some Apache directives you can add to Gluu's virtual host in `/etc/httpd/conf.d/https_gluu.conf`