-
Notifications
You must be signed in to change notification settings - Fork 676
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Provide a cookie for indicating logged in or not #1534
Comments
What version were you running before? I'm curious to find out what happened and why it stopped working |
Thanks for your quick reply. We used to use 1.13.1 (yes, too old, I know). We have several applications like a.example.com, b.example.com etc. In the past, we use the existence of |
Well yeah, your application shouldn't be touching SSP's cookies.. If you remove it in your application, it's not strange that SSP can't find it anymore (hence the NO STATE error). Try leaving cookie management to SSP instead and you should be fine. |
Ooops didn't realize that I'm using the wrong account... Could you please delete that comment? I was laughing that you're right, we shouldn't touch another system's stuff. Every time one uses things for purposes other than its intention, probably things will go wrong, like those undocumented API. By the way, what do you think of my implementation? I can submit a PR. |
I think you should just continue reading the |
I'm not sure how can I know if a user is authenticated or not from reading the cookie. For example, when I'm logged in I can see that the value of the cookie is |
Maybe I'm just not following your use-case.. If you log out, you would also kill your application's session, right? So as soon as you hit the application again, it would force you to (re-)authenticate at the IDP to get a new SAML token and start a new application session.. If you keep your SP's session duration <= to the IDPs session duration, you can never end up being logged in to an application without having a valid SSO session at the IDP. Or am I missing the point here? |
The point is our applications may not require users to log in. Think of youtube.com, You can watch videos without logging in, but if you logged in at google.com, YouTube would do sso for you depending on some shared cookies. Can you understand what I mean? I need a way to tell if a user has logged in... If the cookie is still there even after logging out, the server won't know if we need to sso for the user. |
I think that's what the cdc-module (= Common Domain Cookie) can do for you, but I must say I have no experience with this. |
hmm, I wonder if there are some docs for this module... glanced at it and got no idea what it does. |
Unfortunately nobody knows exactly ... However, the concept of the "Common Domain Cookie" may be useful for your specific use case. |
Is your feature request related to a problem? Please describe.
Our organization used to use the existence of
session.authtoken.cookiename
to determine if a user is logged in/has a valid SSO session. But in the recent version (i.e. 1.19.1), thesession.authtoken.cookiename
is not cleared after logging out. Thus, I'm looking for new a variable likesession.loggedinindicator.cookiename
Describe the solution you'd like
Currently, I've implemented a working solution by introducing the following code:
Describe alternatives you've considered
N/A
Additional context
N/A
The text was updated successfully, but these errors were encountered: