Browser Back button case error after user login

[abc...@gmail.com]

I have configured SimpleSAMLphp (SP) to SSO with ADFS(IDP). After User login and redirect back to the SimpleSAMLphp, then click the back button. And exception will occur:

SimpleSAML_Error_NoState: NOSTATE

Backtrace:
2 /var/simplesamlphp/lib/SimpleSAML/Auth/State.php:225 (SimpleSAML_Auth_State::loadState)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:67 (require)
0 /var/simplesamlphp/www/module.php:134 (N/A)

The issue also discuses in https://groups.google.com/forum/?hl=en#!searchin/simplesamlphp/back$20button/simplesamlphp/Jm2LXevZxts/Uft4qz9uEj4J and https://github.com/simplesamlphp/simplesamlphp/issues/61

Any patch or workaround can fix this issue? Thank you.

[Peter Schober]

* abc...@gmail.com <abc...@gmail.com> [2016-07-27 10:25]:

> I have configured SimpleSAMLphp (SP) to SSO with ADFS(IDP). After User
> login and redirect back to the SimpleSAMLphp, then click the back
> button.

SAML Web Browser SSO in general doesn't take to use of the browser's
back button, due to the workarounds involved (HTTP POST, HTTP
redirects) to pass messages along between servers, using generic web
browsers without active components.

If people could provide comments and experiences from using the code
in the issue referenced that may help move the discussion along.
Otherwise it will remain at the level of "If it hurts don't do it".
(Why log in to a service and then hit the back button?)
Also I'm pretty sure this will break at the next hop back, too,
leading to warnings about repeated HTTP POSTs in the browser, for
example.
-peter

[abc...@gmail.com]

Peter Schober於 2016年7月27日星期三 UTC+8下午7時26分47秒寫道：

we recently received some suggestion asked whether this can be fixed.  In user experience, it will be strange that they see the error page after clicking the back button.  

  

[Jaime Perez Crespo]

Hi,

What version of SimpleSAMLph are you using?

--

Jaime

--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[account test]

I am currently using 1.14.4.

--
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/s6U4LUG5yYk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.

[Jaime Perez Crespo]

Hi again,

I’ve just tested with five different web browsers: Firefox, Firefox Developer Edition, Opera, Safari and Chrome. In none of them I got a NOSTATE error. The way they handle this case varies a bit, though. Firefox is by far the worst, since it shows a page telling the user the page has expired (an internal message, it doesn’t even perform a request).

In any case, you should never get such an error when hitting the back button after a successful authentication. In general, NOSTATE errors usually indicate a misconfiguration or a misuse of the library. Could you please provide more details to help us reproduce the issue? E.g.:

- Are you using passive authentication, as in the thread you are referring to?
- Are you using IdP-first authentication?
- What do you see in the SimpleSAMLphp log?
- What HTTP requests are exchanged? Not only the request that’s failing, but all of them in the entire flow.

On 28 Jul 2016, at 09:02 AM, account test <abc...@gmail.com> wrote:
> I am currently using 1.14.4.

--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[account test]

Hello,

I just upgrade the Simplesamlphp. and the currently version is 1.14.6.

I just use authenticaiton page in https://xxxxxxxxxxxx/simplesaml/module.php/core/authenticate.php to test with ADFS. When I click the sources link, I will be redirected to ADFS login page, After login and redirect back to simplesamlphp, I can see a list of attributes in the page. Then I click the back button, the error NoSTATE is displayed.

SimpleSAML_Error_NoState: NOSTATE

Backtrace:
2 /var/simplesamlphp/lib/SimpleSAML/Auth/State.php:263 (SimpleSAML_Auth_State::loadState)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:78 (require)
0 /var/simplesamlphp/www/module.php:137 (N/A)

I check the process with SAML tracer. when click the back button, browser will back to ADFS page, ADFS page will send the request then redirect user back to simplesamlphp.

GET  https://xxxxxxxxxxxxx/adfs/ls/?SAMLRequest=nVLLbtswEPwVgXxxxxxxxxxxxxxxxxx&RelayState=https%3A%xxxxxxxxxxxxxxx3Ddefault-sp

Post  POST https://xxxxxxxxxxxxx/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

This is file in saml20-idp-host.php

$metadata['http://xxxxxxxxxxx/adfs/services/trust'] = array (

  'entityid' => 'http://xxxxxxxxxxx/adfs/services/trust',

  'sign.logout'=>TRUE,

  'contacts' =>

  array (

    0 =>

    array (

      'contactType' => 'support',

      'Location' => 'https://xxxxxxxxxxx/adfs/ls/',

    ),

    1 =>

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',

      'Location' => 'https://xxxxxxxxxxx/adfs/ls/',

    ),

    1 =>

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',

      'Location' => 'https://xxxxxxxxxxx/adfs/ls/',

    ),

      'encryption' => true,

      'signing' => false,

      'type' => 'X509Certificate',

      'X509Certificate' => 'xxxxxxxxxxxxxxx',

    ),

    1 =>

    array (

      'encryption' => false,

      'signing' => true,

      'type' => 'X509Certificate',

      'X509Certificate' => 'xxxxxxxxxxxxxxxxxxxxxx',

    ),

    2 =>

    array (

      'encryption' => false,

      'signing' => true,

      'type' => 'X509Certificate',

      'X509Certificate' => 'xxxxxxxxxxxxxxx',

    ),

  ),

);

- What is the different between active authentication and password authentication? User need to input the username and password in ADFS login form, I think this is active authentication?

- I am using SP-initiated sign in.

- Here is the log:

Jul 28 16:43:52 simplesamlphp DEBUG [fcf7da456b] Loading state: '_a43d7528f040c02dbcd9ce7de11522ce78b446d0a7'

Jul 28 16:43:52 simplesamlphp ERROR [fcf7da456b] SimpleSAML_Error_NoState: NOSTATE

Jul 28 16:43:52 simplesamlphp ERROR [fcf7da456b] Backtrace:

Jul 28 16:43:52 simplesamlphp ERROR [fcf7da456b] 2 /var/simplesamlphp/lib/SimpleSAML/Auth/State.php:263 (SimpleSAML_Auth_State::loadState)

Jul 28 16:43:52 simplesamlphp ERROR [fcf7da456b] 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:78 (require)

Jul 28 16:43:52 simplesamlphp ERROR [fcf7da456b] 0 /var/simplesamlphp/www/module.php:137 (N/A)

Jul 28 16:43:52 simplesamlphp ERROR [fcf7da456b] Error report with id 1cff2658 generated.

Jul 28 16:43:52 simplesamlphp DEBUG [fcf7da456b] Session: Valid session found with 'default-sp'.

Jul 28 16:43:52 simplesamlphp DEBUG [fcf7da456b] Template: Reading [/var/simplesamlphp/dictionaries/errors]

Jul 28 16:43:52 simplesamlphp DEBUG [fcf7da456b] Template: Reading [/var/simplesamlphp/modules/core/dictionaries/no_state]

Jul 28 16:43:52 simplesamlphp DEBUG [fcf7da456b] Received message:

.........

- You mean the whole login out process?

Thank you very much for your reply.