By: san jong user 05 Feb 2018 at 3:39 a.m. CST

3 Responses
san jong gravatar

Can "sessionIdLifetime" (Gluu 3.1.1 -> JSON Configuration -> oxauth-config.xml) be set to null so that cookie "session_id" is non-persistent?

Looking at the method org.xdi.oxauth.service.SessionIdService.createSessionIdCookie(...), the cookie expire setting will be skipped if sessionIdLifetime is null, but the UI enforce that "sessionIdLifetime" must be at least 1.

How can I make the cookie "session_id" non-persistent?

Thanks.

By Aliaksandr Samuseu staff 05 Feb 2018 at 2:53 p.m. CST

Aliaksandr Samuseu gravatar

Hi, San.

How can I make the cookie "session_id" non-persistent?

Could you elaborate? What do you understand by "non-persistent"? You don't want a user to have session at Gluu, so that they would be asked for credentials each time they are redirected there? Gluu was built around idea of providing SSO experience to users in the first place, so it undermines it's purpose a bit.

By san jong user 05 Feb 2018 at 7:31 p.m. CST

san jong gravatar

hi,

Thank you for your reply, please allow me to describe in point form:

a. about persistent cookies

I am referring to session vs persistent cookie, as described in this link:

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117925-technote-csc-00.html

basically session cookies get discarded when browser is closed.

b. Issue that we are facing

On gluu saml server version 2.4.4, user login to our site via saml (gluu server), when browser is closed and launched again to access our site, user login is required

now we upgraded to gluu version 3.1.1, user login to our site via saml (gluu server), when browser is closed and launched again to access our site, user login is granted by the gluu server automatically (without the need for user to enter password)

we would like to retain the behavior of gluu saml server 2.4.4, because user sometime simply close the browser instead of doing a proper logout, and our site contain sensitive information.

Thanks and appreciate your time and help, cheers.

By Aliaksandr Samuseu staff 14 Feb 2018 at 2:24 p.m. CST

Aliaksandr Samuseu gravatar

Hi, San.

It turns out you are right and some cookies' expiration method has been changed in 3.x. Enhancement proposal was filed for it to be customizable feature, but no ETA or guarantees it will be adopted atm.

Currently, I can only suggest you to try to emulate previous behaviour using some Apache directives you can add to Gluu's virtual host in /etc/httpd/conf.d/https_gluu.conf