The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

IdPCookieUsage

Various jurisdictions now require, at a minimum, that any cookies set/used by a service be documented. This page describes the two cookies used by the IdP.

Login Context Key

During the authentication process, the IdP will set a cookie named _idp_authn_lc_key. This cookie contains only information necessary to identify the current authentication process (which usually spans multiple requests/responses) and is deleted after the authentication process completes.

Session Key

Once a user has been authenticated they will have a long-lived session with the IdP which is tracked by a cookie named _idp_session. This cookie contains only information necessary for identifying the user's IdP session. This cookie is created as "session" cookie and will be removed when the browser chooses to remove such cookies (often when the browser is closed).

Cookie Scope

In both cases, the IdP cookie is declared such that standards-compliant browsers will only send the cookie to the IdP and only over HTTPS if that is the protocol used to communicate with the IdP.