fix/improve the documentation for OIDCStateMaxNumberOfCookies; see #1355

zandbelt · zandbelt · commit 73b2c8ad4545 · 2025-10-10T18:43:45.000+02:00
Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/auth_openidc.conf b/auth_openidc.conf
@@ -609,14 +609,11 @@
 #OIDCStripCookies [<cookie-name>]+
 
 # Specify the maximum number of state cookies, i.e. the maximum number of parallel outstanding
-# authentication requests. See: https://github.com/OpenIDC/mod_auth_openidc/issues/331
-# Setting this to 0 means unlimited, until the browser or server gives up which is the
-# behavior of mod_auth_openidc < 2.3.8, which did not have this configuration option. 
-#
-# The optional second boolean parameter if the oldest state cookie(s) will be deleted, 
-# even if still valid; see #399.
-#
-# When not defined, the default is 7 and "false", thus the oldest cookie(s) will not be deleted.
+# authentication requests. See: https://github.com/OpenIDC/mod_auth_openidc/wiki/Cookies#state-cookie
+# Setting this to 0 means unlimited, until the browser or server gives up. 
+# The optional second boolean parameter if the oldest state cookie(s) will be deleted, even if still
+# valid to limit the number of cookies. Use the latter with care as it could result in browser looping.
+# When not defined, the default is 7 and "false".
 #OIDCStateMaxNumberOfCookies <number> [false|true]
 
 # Define the cookie prefix for the state cookie.
