On CAS 6 when we use
wsfederation the cookie
WSFEDDELSESSION has size below
3kB on initial
/wsfedredirect request. Every next request regenerates
WSFEDDELSESSION cookie with similiar size.
After migration to CAS 7 we have noticed that the
WSFEDDELSESSION cookie size is a little bigger on first request but it exceeds
8kB on second request. The browser denies accepting HTTP headers bigger than
4kB so the cookie is ignored and remains with the previous value.
After some investigation I think there is some misuse of Service instance when it is stored as a cookie in WsFederationCookieManager:
In CAS 7 there is a change in Service populated attributes comparing to CAS 6 implementation:
These request oriented fields contain values of cookies and on the second /wsfedredirect request one of these cookies is WSFEDDELSESSION cookie. After Service serialization it is substantially bigger because value of this cookie is about 2,5kB and it is repeated twice on Service attributes list (in jakarta.servlet.http.HttpServletRequest.cookie-WSFEDDELSESSION and in jakarta.servlet.http.HttpServletRequest.header-Cookie).
In CAS 6 Service instance has no request oriented fields so cokkies are not serialized into WSFEDDELSESSION cookie.