From 728e2f681a938f25d091a8480ec6db3961ebfc98 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Jun 07 2017 13:36:26 +0000
Subject: Revert setting sessionMaxAge for old clients


Older clients have issues properly parsing cookies and the sessionMaxAge
setting is one of those that breaks them.
Comment out the setting and add a comment that explains why it is not
set by default.

https://pagure.io/freeipa/issue/7001

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index a7ca5ce..01bf9a4 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 26 - DO NOT REMOVE THIS LINE
+# VERSION 27 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -77,7 +77,9 @@ WSGIScriptReloading Off
   Session On
   SessionCookieName ipa_session path=/ipa;httponly;secure;
   SessionHeader IPASESSION
-  SessionMaxAge 1800
+  # Uncomment the following to have shorter sessions, but beware this may break
+  # old IPA client tols that incorrectly parse cookies.
+  # SessionMaxAge 1800
   GssapiSessionKey file:/etc/httpd/alias/ipasession.key
 
   GssapiImpersonate On