Bookmarklet and PHP to prevent Shibboleth-related Firefox Lockouts

Reason this might be useful.

 * Remove all _shibstate cookies if there are too many of them. This usually
 * occurs due to Firefox session restores. Unfortunately we don't know which is
 * the active state cookie, so we have to delete them all, but this is a lessor
 * crime than locking the user out with server errors.
 * In an app a good time to call this is when a user is not logged in or has an
 * expired app session. This way we can cleanup their cookies before forwarding
 * them to the shib login process. Also after logout you'll want to call this
 * with parameter 0 to always remove them.
 * @param int $allowableStateCookies if the number of _shibstate cookies
 * exceeds this, they will all be removed.
function Shibboleth_preventFirefoxLockout($allowableStateCookies = 10)
    $stateKeys = array();
    foreach ($_COOKIE as $key => $val) {
        if (0 === strpos($key, '_shibstate')) {
            $stateKeys[] = $key;
    if (count($stateKeys) > $allowableStateCookies) {
        foreach ($stateKeys as $key) {
            setcookie($key, '', time() - 3600, '/');

Here’s a bookmarklet that essentially does the same thing: Fix Shibboleth Lockout

One thought on “Bookmarklet and PHP to prevent Shibboleth-related Firefox Lockouts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.