-
-
Notifications
You must be signed in to change notification settings - Fork 327
Cookies
mod_auth_openidc leverages 2 types of cookies:
- a short-lived "state" cookie that correlates the authentication request and response
- a long-lived "session" cookie that maintains session state after successful authentication
Both cookies are non-persistent session cookies since version 1.8.8rc4 (before that the "state" cookie was a persistent cookie with a limited expiry time).
state cookie
The "state" cookie is created when the user is redirected away to the OpenID Connect Provider for authentication. It is deleted when the user returns to the Apache server with an authentication response (indicating either success or failure). It is short-lived and its lifetime can be configured with the OIDCStateTimeout configuration primitive for which the default is 5 minutes. Note that the lifetime is enforced at the server by mod_auth_openidc, not by the lifetime of the cookie (since it is a session cookie that is valid for the duration of the browser session since 1.8.8).