Since upgrading the opensso to 8.0 Update 1 Patch3 Build 6.1 and switching to webagents v3 we encounter the following strange problem:
cliffnotes: an empty iplanet cookie is beeing send to the browser before login. This bugs firefox because its not overwritten by the correct cookie after login and the duplicate iplanet-cookies gives problems after the login.
-everything is fine in Opera
-in IE and Firefox (and potential other browsers), every single request to a protected resource gets redirected to the SSO
which promptly redirects back to the resource because a valid session already exists. then the protected content is delivered just fine
-5 minutes after login, everything is working as expected
I tracked down the problem pretty far:
-Assume an invalid session / no SSO cookies:
-the first request to a protected resource gets the following headers as response:
Now the User logs in and is redirected back to the protected resource by the cdservlet
However, Firefox now always sends two valid iplanet-cookies for the resources. You can see this in the browser-cookie-list and in the HTTP-Request as well:
Cookie iPlanetDirectoryPro=; iPlanetDirectoryPro=DFA85DA..DFA85DA=#; JSESSIONID=DFA85DA..DFA85DA
Once you delete the empty cookie, or it expires after 300 seconds=5 Minutes, everything is fine
Opera seems to overwrite the empty one with the correct one while firefox does not.
So my main Question is: How can i prevent the setting of this empty 300-max-age iplanet cookie? What is it good for anyways?
I tried experimenting with com.sun.identity.agents.config.cookie.reset.enable, but nothing changed.
I find is particulary strange that 300 is the default value of com.sun.identity.agents.config.profile.attribute.cookie.maxage. However, i changed that value but the maxage=300 persists. Actually, i dont have any 300 whatsoever left in my config.