Announcement Announcement Module
No announcement yet.
Customized name for the sessionid cookie Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Customized name for the sessionid cookie


    We are using Spring Security SAML 1.0.0.RC2 and opensaml 2.6.1 in an application running with on jboss with two instances of the application.

    When we set a customized name for the sessionid cookie in web.xml we get the following stacktrace after authentication:

    org.opensaml.common.SAMLException: InResponseToField doesn't correspond to sent message
    at fileConsumerImpl.processAuthenticationResponse(Web
    at onProvider.authenticate(SAMLAuthenticationProvider .java:81)
    at erManager.authenticate(
    at lter.attemptAuthentication(SAMLProcessingFilter.ja va:84)
    at MLProcessingFilter.attemptAuthentication(LoggingSA
    at stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.

    Is it possible to use a customized name for the sessionid cookie when running two instances of the application?


  • #2

    This is not a spring-security-saml2-core issue, but a mod_cluster issue, ref and

    The problem was the session wasn't sticky.

    Btw: We also encountered an issue with apache 2.4 and mod_cluster which also made the sessions non-sticky. After downgrading to apache 2.2 our sessions are sticky again.