Closed rezajp closed 4 years ago
explunit
commented
4 years ago I believe the cookie gets cleared after a successful login, but if you have a high number of incomplete login flows then you may be encountering the #594 issue. That is still a problem, though some work in https://github.com/Sustainsys/Saml2/issues/1150 has made it possible for you to plug in your own cookie-handling logic e.g. to clear older cookies.
rezajp
commented
4 years ago Thanks @explunit I did the workaround in #594 with a bit of tweak as my solution is in .Net Core. It seems to have resolved the issue.
explunit
commented
4 years ago Thanks for the update. Will close this issue in favor of keeping discussion in #594
nicklas669
commented
4 years ago Thanks @explunit I did the workaround in #594 with a bit of tweak as my solution is in .Net Core. It seems to have resolved the issue.
Hi @rezajp . Which workaround in #594 are you talking about - this one?: https://github.com/Sustainsys/Saml2/issues/594#issuecomment-561153227
rezajp
commented
4 years ago Thanks @explunit I did the workaround in #594 with a bit of tweak as my solution is in .Net Core. It seems to have resolved the issue.
Hi @rezajp . Which workaround in #594 are you talking about - this one?: #594 (comment)
yes that is the one. That seemed to help.
nicklas669
commented
4 years ago yes that is the one. That seemed to help.
@rezajp I'm also using .NET Core but my tweaks seem to not make any difference.. I still get more and more "Saml2" cookies. Would you mind sharing how you're doing it?
rezajp
commented
4 years ago yes that is the one. That seemed to help.
@rezajp I'm also using .NET Core but my tweaks seem to not make any difference.. I still get more and more "Saml2" cookies. Would you mind sharing how you're doing it?
` options.Notifications.AuthenticationRequestCreated = (request, provider, dictionary) => { const int threshold = 1; var existingCookies = httpContextAccessor.HttpContext.Request.Cookies .Where(kvp => kvp.Key.StartsWith("Saml2.")).ToList();
if (existingCookies.Count >= threshold)
{
for (var i = 0; i <= existingCookies.Count - threshold; i++)
{
httpContextAccessor.HttpContext.Response.Cookies.Delete(existingCookies[i].Key);
}
}
};`options is of type Saml2Options.
nicklas669
commented
4 years ago I'm doing the exact same thing. Oh well, thanks for sharing tho, will have to dig deeper :)
EDIT: I found out that this has to do with some of our cookies getting the "SameSite=None" set without also having the "secure" flag set..
AhmedAssaf
commented
3 years ago options.Notifications.AuthenticationRequestCreated = (request, provider, dictionary) => { const int threshold = 1; var existingCookies = httpContextAccessor.HttpContext.Request.Cookies .Where(kvp => kvp.Key.StartsWith("Saml2.")).ToList(); if (existingCookies.Count >= threshold) { for (var i = 0; i <= existingCookies.Count - threshold; i++) { httpContextAccessor.HttpContext.Response.Cookies.Delete(existingCookies[i].Key); } } };@rezajp how you configure "httpContextAccessor"
We are using package sustainsys.saml2 2.7.0 . After a few logins, we seem to have quite a few Saml cookies in the browser that eventually leads to long request error (400) in the browser. Is this a bug or maybe a setting we should do?
We are on .net core 3.1