> I recently encountered a 413 HTTP error, which occurred because someone
had
> Firefox configured to remember which tabs were open and always closed the
> browser instead of explicitly logging out of the application. This
appears
> to have happened because the Shibboleth service provider assigns unique
> names to Shibboleth cookies and these cookies are never cleared out.
That's not the case, they're cleared out in the normal fashion in most
scenarios, and none of them are persistent (well, none but one that's beside
the point here). The fact that the session restore behavior prevents them
from being disposed of is not something I can fix.
> For the time being, I recommended always explicitly logging out of the
> application, but I imagine that other people may run into this problem.
Logging out should have no affect on this, particular since that would clear
the cookies in the same way, and because there are cookies generated both
before and after login.
> Is there a way to configure the SP to look for cookies that it
> previously set and clear them? I can imagine cases in which this
> shouldn't be done (for example when there are multiple SPs in the same
> domain), but I don't see any reason not to do it in this case. I could
> be missing something, though.
The only way to clear a cookie is to set one with an expiration in the past.
That's what it does.
It may be the case that using javascript directly to affect the cookie store
has different behavior, but if that were the "solution", I'd have to
generate something with Javascript in it, and right now all of the normal
flows in the SP are redirects.
-- Scott