1Bookmarklet and PHP to prevent Shibboleth-related Firefox Lockouts
/*
* Remove all _shibstate cookies if there are too many of them. This usually
* occurs due to Firefox session restores. Unfortunately we don't know which is
* the active state cookie, so we have to delete them all, but this is a lessor
* crime than locking the user out with server errors.
*
* In an app a good time to call this is when a user is not logged in or has an
* expired app session. This way we can cleanup their cookies before forwarding
* them to the shib login process. Also after logout you'll want to call this
* with parameter 0 to always remove them.
*
* @param int $allowableStateCookies if the number of _shibstate cookies
* exceeds this, they will all be removed.
*/
function Shibboleth_preventFirefoxLockout($allowableStateCookies = 10)
{
$stateKeys = array();
foreach ($_COOKIE as $key => $val) {
if (0 === strpos($key, '_shibstate')) {
$stateKeys[] = $key;
}
}
if (count($stateKeys) > $allowableStateCookies) {
foreach ($stateKeys as $key) {
setcookie($key, '', time() - 3600, '/');
}
}
}Here’s a bookmarklet that essentially does the same thing: Fix Shibboleth Lockout
[...] since Shibboleth gives out uniquely-named session cookies (prepended with _shibstate), failing to clean these up will lead Firefox users to the aforementioned torment. If the user has an app open all day every [...]