CAS 7 too big WSFEDDELSESSION cookie

[Sławomir Jodyński]

On CAS 6 when we use wsfederation the cookie WSFEDDELSESSION has size below 3kB on initial /wsfedredirect request. Every next request regenerates WSFEDDELSESSION cookie with similiar size.

After migration to CAS 7 we have noticed that the WSFEDDELSESSION cookie size is a little bigger on first request but it exceeds 8kB on second request. The browser denies accepting HTTP headers bigger than 4kB so the cookie is ignored and remains with the previous value.

After some investigation I think there is some misuse of Service instance when it is stored as a cookie in WsFederationCookieManager:

https://github.com/apereo/cas/blob/0c18494fe7203dd31deb770ab49e620549d2b7e9/support/cas-server-support-wsfederation/src/main/java/org/apereo/cas/support/wsfederation/web/WsFederationCookieManager.java#L99

In CAS 7 there is a change in Service populated attributes comparing to CAS 6 implementation: 

https://github.com/apereo/cas/blob/0c18494fe7203dd31deb770ab49e620549d2b7e9/core/cas-server-core-services-authentication/src/main/java/org/apereo/cas/authentication/principal/AbstractServiceFactory.java#L113

These request oriented fields contain values of cookies and on the second /wsfedredirect request one of these cookies is WSFEDDELSESSION cookie. After Service serialization it is substantially bigger because value of this cookie is about 2,5kB and it is repeated twice on Service attributes list (in jakarta.servlet.http.HttpServletRequest.cookie-WSFEDDELSESSION and in jakarta.servlet.http.HttpServletRequest.header-Cookie).

In CAS 6 Service instance has no request oriented fields so cokkies are not serialized into WSFEDDELSESSION cookie.