0 Replies Latest reply: Aug 13, 2010 4:32 AM by 807573 RSS

    Webagent in sends empty cookie before redirecting to login

    807573
      Since upgrading the opensso to 8.0 Update 1 Patch3 Build 6.1 and switching to webagents v3 we encounter the following strange problem:

      cliffnotes: an empty iplanet cookie is beeing send to the browser before login. This bugs firefox because its not overwritten by the correct cookie after login and the duplicate iplanet-cookies gives problems after the login.


      Long version:

      -everything is fine in Opera
      -in IE and Firefox (and potential other browsers), every single request to a protected resource gets redirected to the SSO
      which promptly redirects back to the resource because a valid session already exists. then the protected content is delivered just fine
      -5 minutes after login, everything is working as expected

      I tracked down the problem pretty far:

      -Assume an invalid session / no SSO cookies:
      -the first request to a protected resource gets the following headers as response:

      ...
      Set-Cookie     iPlanetDirectoryPro=;Max-Age=300;Path=/
      Location     https://...:443/opensso/cdcservlet
      ...

      Now the User logs in and is redirected back to the protected resource by the cdservlet
      However, Firefox now always sends two valid iplanet-cookies for the resources. You can see this in the browser-cookie-list and in the HTTP-Request as well:
      .....
      GET /style.css
      Cookie     iPlanetDirectoryPro=; iPlanetDirectoryPro=DFA85DA..DFA85DA=#; JSESSIONID=DFA85DA..DFA85DA
      ....

      Once you delete the empty cookie, or it expires after 300 seconds=5 Minutes, everything is fine
      Opera seems to overwrite the empty one with the correct one while firefox does not.

      So my main Question is: How can i prevent the setting of this empty 300-max-age iplanet cookie? What is it good for anyways?

      I tried experimenting with com.sun.identity.agents.config.cookie.reset.enable, but nothing changed.
      I find is particulary strange that 300 is the default value of com.sun.identity.agents.config.profile.attribute.cookie.maxage. However, i changed that value but the maxage=300 persists. Actually, i dont have any 300 whatsoever left in my config.