[OpenAM] Questions on persistence of session cookie

Bernhard Thalmayr bernhard.thalmayr at painstakingminds.com
Wed Aug 10 10:00:21 EDT 2011 

On 08/10/2011 03:41 PM, Cristiano Moreira Silva wrote:
> Just to confirm: yes, it worked here too. But in my test, it created
> two "iPlanetDirectoryPro", both of them with the same value, but one
> with the domain of my OpenAM server (9.5.2), and persistent, and
> another with the domain of my agent, and not persistent.
>
> Is this the expected behavior?
>

yes

but you should really understand why this is to be expected...

-Bernhard
> Thanks!
>
> --- Em sex, 8/7/11, Bernhard Thalmayr<bernhard.thalmayr at painstakingminds.com>  escreveu:
>
>> De: Bernhard Thalmayr<bernhard.thalmayr at painstakingminds.com>
>> Assunto: Re: [OpenAM] Questions on persistence of session cookie
>> Para: openam at forgerock.org
>> Data: Sexta-feira, 8 de Julho de 2011, 15:00
>> So I got 'persistent-cookie-mode'
>> working using the new 'OpenAM way';
>> 'global option'.
>>
>> Good news it works for SSO and CDSSO without adapting
>> LoginURL/CDCServletURL (using OpenAM 9.5.1)
>>
>> Under "Configuration" ->  "Server&Sites"
>> ->'default server settings' ->
>> 'Advanced' the following property-value-pairs
>>
>> Property:
>> openam.session.persist_am_cookie
>> Value:
>> true
>>
>> Property:
>> com.iplanet.am.cookie.timeToLive
>> Value:
>> <Integer>
>>
>> Value is in minutes, it will set 'Max-Age' attribute of the
>>
>> 'SSO-tracking-cookie' to 6 times this value.
>>
>> Of course you must not 'logout' from OpenAM, but close the
>> browser to
>> keep the 'persistent cookie'.
>>
>> HTH,
>> Bernhard
>>
>>
>>
>>
>>
>>
>>
>>
>> On 07/07/2011 11:31 PM, Cristiano Moreira Silva wrote:
>>> Hi guys,
>>>
>>> And what about my questions on the PersistAMCookie
>> parameter? Considering Indira's book, it should work with
>> this "timeToLive" property. Is it still working on release
>> 9.5.2? Where this "timeToLive" property must be set?
>>>
>>> Regards.
>>>
>>> --- Em qui, 7/7/11, Bernhard Thalmayr<bernhard.thalmayr at painstakingminds.com>
>> escreveu:
>>>
>>>> De: Bernhard Thalmayr<bernhard.thalmayr at painstakingminds.com>
>>>> Assunto: Re: [OpenAM] Questions on persistence of
>> session cookie
>>>> Para: openam at forgerock.org
>>>> Data: Quinta-feira, 7 de Julho de 2011, 21:51
>>>> On 07/07/2011 07:38 PM, Major Péter
>>>> wrote:
>>>>> AFAIK CDCServlet forwards the request to the
>>>> LoginViewBean for
>>>>> authentication, so that should not cause any
>> problems.
>>>> :)
>>>>
>>>>
>>>> CDCServlet does not 'forward' the request but
>> makes the
>>>> browser do an
>>>> auto-submit to the loginURL using javascript.
>>>>
>>>> at this stage it does not retrain the
>> 'iPSPCookie=yes'
>>>> request parameter ...
>>>>
>>>> -Bernhard
>>>>>
>>>>> //correct me if I'm wrong
>>>>>
>>>>> Peter
>>>>>
>>>>> On 2011-07-07 18:24, Bernhard Thalmayr wrote:
>>>>>> About 'persistent-cookie' and CDSSO.
>>>>>>
>>>>>> AFAIC see the CDCServlet does not have any
>> notion
>>>> about
>>>>>> 'persistent-cookie-mode' so I assume it
>> will not
>>>> work for CDSSO.
>>>>>>
>>>>>> -Bernhard
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 07/07/2011 02:48 PM, Cristiano Moreira
>> Silva
>>>> wrote:
>>>>>>> Hi Peter,
>>>>>>>
>>>>>>> Ok, but what about the
>> "PersistAMCookie" URL
>>>> parameter? Isn't it
>>>>>>> independent of this DAS system,
>> available in
>>>> since OpenAM 9 or
>>>>>>> OpenSSO 8 [1]? Could you please give
>> me some
>>>> explanation on how to
>>>>>>> use or configure it, because I trying
>> to find
>>>> some further explanations
>>>>>>> on it and not finding... For example:
>> if I
>>>> want to use the
>>>>>>> "PersistAMCookie", must I set the
>> property
>>>>>>> "com.iplanet.am.cookie.timeToLive"?
>> And where
>>>> must it be set?
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>> [1] See here: http://download.oracle.com/docs/cd/E19681-01/820-3885/ghubm/index.html
>>>>>>>
>>>>>>>
>>>>
>> --------------------------------------------------------
>>>>>>> Cristiano Moreira Silva
>>>>>>> "Tudo posso nAquele que me fortalece."
>> Fp.
>>>> 4:13
>>>>>>> http://br.geocities.com/crisbrsp/
>>>>>>>
>>>>>>>
>>>>>>> --- Em qui, 7/7/11, Major Péter<majorpetya at sch.bme.hu>
>>>>      escreveu:
>>>>>>>
>>>>>>>> De: Major Péter<majorpetya at sch.bme.hu>
>>>>>>>> Assunto: Re: [OpenAM] Questions
>> on
>>>> persistence of session cookie
>>>>>>>> Para: "Users"<openam at forgerock.org>
>>>>>>>> Data: Quinta-feira, 7 de Julho de
>> 2011,
>>>> 10:28
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> this might be actually a bug, as
>> far as I
>>>> looked the normal
>>>>>>>> UI does not
>>>>>>>> have this functionality while the
>> DAS
>>>> do...
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Peter
>>>>>>>>
>>>>>>>> On 2011-07-07 02:24, Cristiano
>> Moreira
>>>> Silva wrote:
>>>>>>>>> Hallo,
>>>>>>>>>
>>>>>>>>> Thanks for your answer, but
>> I've
>>>> checked in
>>>>>>>> documentation [1] that the
>> "Persistent
>>>> Cookie Mode" refers
>>>>>>>> to the iPSPCookie parameter, and
>> not to
>>>> the PersistAMCookie.
>>>>>>>> My problem is that I'd need to use
>> this
>>>> PersistAMCookie, or
>>>>>>>> some configuration as described in
>> Bug
>>>> OPENAM-168 [2], in a
>>>>>>>> CDSSO use case. Right now, I'm
>> trying to
>>>> understand exactly
>>>>>>>> where this persistent
>> configuration should
>>>> be, and whether
>>>>>>>> it can be used in CDSSO or not.
>>>>>>>>>
>>>>>>>>> Do you know something of
>> this?
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>>
>>>>>>>>> [1] Here: https://wikis.forgerock.org/confluence/display/openam/Core
>>>>>>>>>
>>>>>>>>> [2] https://bugster.forgerock.org/jira/browse/OPENAM-168
>>>>>>>>>
>>>>>>>>> --- Em qui, 7/7/11, Ivailo
>> Kolev<ivailokolev at dir.bg>
>>>>>>>> escreveu:
>>>>>>>>>
>>>>>>>>>> De: Ivailo Kolev<ivailokolev at dir.bg>
>>>>>>>>>> Assunto: Re: [OpenAM]
>> Questions on
>>>> persistence of
>>>>>>>> session cookie
>>>>>>>>>> Para: openam at forgerock.org
>>>>>>>>>> Data: Quinta-feira, 7 de
>> Julho de
>>>> 2011, 1:58
>>>>>>>>>> Hallo,
>>>>>>>>>>
>>>>>>>>>> I think that the same
>> properties
>>>> are available
>>>>>>>> through UI.
>>>>>>>>>> Please, check Access
>>>>>>>>>>
>>>>
>> Control/<yourrealmOrRoot>/Authentication/All
>>>>>>>> Core
>>>>>>>>>> Settings. There are two
>>>>>>>>>> controls names Persistent
>> Cookie
>>>> Mode and
>>>>>>>> Persistent Cookie
>>>>>>>>>> Maximum Time.
>>>>>>>>>>
>>>>>>>>>> Cheers, Ivo Kolev
>>>>>>>>>>
>>>>>>>>>> On 07-Jul-2011 00:36, openam-request at forgerock.org
>>>>>>>>>> wrote:
>>>>>>>>>>> Questions on
>> persistence of
>>>> session cookie
>>>>>>>>>>>
>>>>          (Cristiano
>>>>>>>> Moreira Silva)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>> _______________________________________________
>>>>>>>>>> OpenAM mailing list
>>>>>>>>>> OpenAM at forgerock.org
>>>>>>>>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>>>>>>>>
>>>>>>>>>
>>>> _______________________________________________
>>>>>>>>> OpenAM mailing list
>>>>>>>>> OpenAM at forgerock.org
>>>>>>>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>>>>>>>
>>>>>>>>
>>>> _______________________________________________
>>>>>>>> OpenAM mailing list
>>>>>>>> OpenAM at forgerock.org
>>>>>>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>>>>>>
>>>>>>>
>>>> _______________________________________________
>>>>>>> OpenAM mailing list
>>>>>>> OpenAM at forgerock.org
>>>>>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>> _______________________________________________
>>>>> OpenAM mailing list
>>>>> OpenAM at forgerock.org
>>>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>>>
>>>>
>>>>
>>>> --
>>>> Painstaking Minds
>>>> IT-Consulting Bernhard Thalmayr
>>>> Herxheimer Str. 5, 83620 Vagen (Munich area),
>> Germany
>>>> Tel: +49 (0)8062 7769174
>>>> Mobile: +49 (0)176 55060699
>>>>
>>>> bernhard.thalmayr at painstakingminds.com
>>>> - Solution Architect
>>>>
>>>> This e-mail may contain confidential and/or
>> privileged
>>>> information.If
>>>> you are not the intended recipient (or have
>> received this
>>>> email in
>>>> error) please notify the sender immediately and
>> delete this
>>>> e-mail. Any
>>>> unauthorized copying, disclosure or distribution
>> of the
>>>> material in this
>>>> e-mail is strictly forbidden.
>>>> _______________________________________________
>>>> OpenAM mailing list
>>>> OpenAM at forgerock.org
>>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>>
>>> _______________________________________________
>>> OpenAM mailing list
>>> OpenAM at forgerock.org
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>
>>
>>
>> --
>> Painstaking Minds
>> IT-Consulting Bernhard Thalmayr
>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> Tel: +49 (0)8062 7769174
>> Mobile: +49 (0)176 55060699
>>
>> bernhard.thalmayr at painstakingminds.com
>> - Solution Architect
>>
>> This e-mail may contain confidential and/or privileged
>> information.If
>> you are not the intended recipient (or have received this
>> email in
>> error) please notify the sender immediately and delete this
>> e-mail. Any
>> unauthorized copying, disclosure or distribution of the
>> material in this
>> e-mail is strictly forbidden.
>> _______________________________________________
>> OpenAM mailing list
>> OpenAM at forgerock.org
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
>


-- 
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

bernhard.thalmayr at painstakingminds.com - Solution Architect

This e-mail may contain confidential and/or privileged information.If 
you are not the intended recipient (or have received this email in 
error) please notify the sender immediately and delete this e-mail. Any 
unauthorized copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.

More information about the OpenAM mailing list