Bug #3745

GET argument should have higher priority than the cookies _redirect_user_idp and redirect_state

Added by Thomas Lenggenhager almost 3 years ago. Updated over 1 year ago.

Status:ClosedStart date:2016-09-15
Priority:NormalDue date:
Assignee:Lukas Hämmerle% Done:


Target version:1.21
Affected Version:


An SP with embedded wayf can be configured that way that the wayf sets the cookies _redirect_user_idp and redirect_state with the idea that the user should never see again the embedded way ob that SP and gets automatically redirected to the IdP.

However, a negative side effect of the current code is that when the user visits another SP using the embedded wayf, the user is not able to change to another IdP. Whatever the user picks in the list of IdPs, as soon as he clicks 'login', he gets redirected to the IdP set in the _redirect_user_idp cookie!

For most cases it is probably sufficient to prioritize the GET argument over the cookie value.

One could think a case where a user has an account at IdP X and IdPY. The user wants to use SP A with the account of IdP X and SP B with the account of IdPY. Both SPs A and B configure their embedded way to make use of the cookies _redirect_user_idp and redirect_state. Now let's assume the user goes to SP A picks IdP X. This works fine. Now he connects to SP B and gets automatically redirected to IdP X. The user has never the chance to pick IdP Y. The user needs to manually remove the two cookies set by the wayf whenever he changes between SP A and B.
Probably the cookies need to include the entity ID of the SP to only have an effect for the SP that did set the cookies.


#1 Updated by Lukas Hämmerle over 1 year ago

  • Target version set to 1.21

This is now implemented. GET has priority over cookie.

#2 Updated by Lukas Hämmerle over 1 year ago

  • Status changed from New to Closed

Also available in: Atom PDF