CAS 7.1.4 - large headers due TGC cookie values during timeout logout
47 views
Skip to first unread message
Milan Siebenbürger
Feb 27, 2025, 2:33:33 AM2/27/25
to CAS Community
Hello,
We investigated the issue and found the root cause in the cookie removal process. When a session times out,
org.apereo.cas.web.flow.login.InitialFlowSetupAction#configureWebflowForTicketGrantingTicket calls clearTicketGrantingCookieFromContext, which in turn calls ticketGrantingTicketCookieGenerator.removeAll(request, response). When the normal logout occurs, this method is not called.
The removeAll method sets the Set-Cookie header for TGC across all available paths (/, /cas, /cas/) with setMaxAge(0), but crucially, it includes the entire original TGC value in each cookie. Since the TGC contains a JWT token, it's quite large, and having it repeated three times in the response headers exceeds buffer limit.
We've applied a workaround by changing the Nginx configuration, but we would like to inquire:
1. Is it intentional that during a normal logout, only one cookie is sent:
Set-Cookie: TGC=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/cas; Secure; HttpOnly
While during a timeout logout, three large cookies are sent:
Set-Cookie: TGC=eyJhb...VAw; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/
Set-Cookie: TGC=eyJhb...VAw; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/cas/
Set-Cookie: TGC=eyJhb...VAw; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/cas
and also the first one too
Set-Cookie: TGC=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/cas; Secure; HttpOnly
So 4 Set-Cookie headers are sent (3 of them with value, 1 with no value, all of them with Max-Age: 0, diff paths)
Since the cookies are being expired with Max-Age=0, wouldn't it be sufficient to use an empty value like in the normal logout case..
Thanks for any opinion to that
br
Milan Siebenbürger
Reply all
Reply to author
Forward
0 new messages