First Last Prev Next    This bug is not in your last search results.
Bug 52873 - SAML-Session stays alive after Browser is closed
SAML-Session stays alive after Browser is closed
Status: CLOSED WORKSFORME
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.4
All All
: P5 normal (vote)
: UCS 4.4-7-errata
Assigned To: Florian Best
Erik Damrose
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-08 16:39 CET by Thorsten
Modified: 2021-03-15 18:55 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.057
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
chromium cookie expiration (11.12 KB, image/png)
2021-03-15 12:07 CET, Erik Damrose 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thorsten univentionstaff 2021-03-08 16:39:55 CET 
This bug is related to https://forge.univention.org/bugzilla/show_bug.cgi?id=52353 which covers the issue from the UMC Session point of view (UMCSessionId).

We require the same behaviour as requested in the referenced bug but also for the session provided from the SAML IdP that is identified by "SimpleSAMLSessionID".
Comment 1 Erik Damrose univentionstaff 2021-03-15 12:07:15 CET 
Created attachment 10642 [details]
chromium cookie expiration

How can this issue be reproduced? In Chromium i see that the cookie is set to expire when the browser session ends, see screenshot.

In the simplesaml config.php we configure
'session.cookie.lifetime' => 0,
Comment 2 Thorsten univentionstaff 2021-03-15 17:09:58 CET 
Florian told me that https://forge.univention.org/bugzilla/show_bug.cgi?id=52353 requires a parallel bug for the SAML session as well. Actually I didn't verify that on the technical level before. But I can confirm that the SAML cookie is set as "session" cookie. So either this bug can be rejected or Florian can comment, if there was an understanding and this bug has a different scope. I'll notify him.
Comment 3 Florian Best univentionstaff 2021-03-15 18:47:10 CET 
Erik is right. This is already implemented for the IDP side.
First Last Prev Next    This bug is not in your last search results.