Forum Discussion

Guide

10 years ago

Why SSO Cookie was not written into response when using firefox browser?

We use Lithium SSO in our product. When users log into the website, we will call LithiumSSOClient.writeLithiumCookie() to write the SSO Cookie. When I use firefox to log into our website, I coul...

DougS
10 years ago
When an SSO cookie is processed, Lithium tries to delete the cookie and replace it with a cookie that starts with an exclamation point (!lithiumSSO:). This is to prevent the app from trying to process the same cookie it's already processed more than 1 time, which we don't allow (for security reasons). We also put time limits on how long an SSO token is good for, so it's best practice to only set an SSO cookie right befor sending a browser to the community.

It shouldn't matter how you generate the cookie (server-side or ajax call), as long as the request is secure and cannot be used to get an sso token that lets you log in as another user.

If you are making an ajax call to another domain to get an sso cookie, make sure you have CORS configured correctly for that community and are sending the correct headers.

If an sso cookie is set by an ajax call, you should always reload the page (or make another ajax request with the sso cookie) since the sso processing happens on the server-side.

I googled "ajax can't set cookie firefox" and found this stackoverflow article:

Jquery Ajax Firefox not sending cookie (Chrome works)

Maybe what you're trying is related?

-Doug

DougS

Khoros Oracle

10 years ago

When an SSO cookie is processed, Lithium tries to delete the cookie and replace it with a cookie that starts with an exclamation point (!lithiumSSO:). This is to prevent the app from trying to process the same cookie it's already processed more than 1 time, which we don't allow (for security reasons). We also put time limits on how long an SSO token is good for, so it's best practice to only set an SSO cookie right befor sending a browser to the community.

It shouldn't matter how you generate the cookie (server-side or ajax call), as long as the request is secure and cannot be used to get an sso token that lets you log in as another user.

If you are making an ajax call to another domain to get an sso cookie, make sure you have CORS configured correctly for that community and are sending the correct headers.

If an sso cookie is set by an ajax call, you should always reload the page (or make another ajax request with the sso cookie) since the sso processing happens on the server-side.

I googled "ajax can't set cookie firefox" and found this stackoverflow article:

Jquery Ajax Firefox not sending cookie (Chrome works)

Maybe what you're trying is related?

-Doug

Forum Discussion

Why SSO Cookie was not written into response when using firefox browser?

Related Content

Browser support

Last IP/Browser

Set HTTP response code on custom endpoint

http.client.request is caching the response being received from the third-party API. Not required.

nodes.widget.node-browser-list exception

Recent Discussions

API v1 docs gone since Atlas migration to Aurora

Does anyone know how to change the display title of Custom Fields in Aurora?

Can someone walk me through authenticating and using Postman with Aurora?

Seeking Advice on Restricting Access to a posts to those who have the permalink.

TinyMceEditor is undefined