State information lost after logout and repeated login (with my SP and IdP pair)
746 views
Skip to first unread message
Hanák Péter
Nov 11, 2014, 12:39:09 AM11/11/14
to simple...@googlegroups.com
Hi All,
I am using SimpleSAMLphp 1.13.2. I have an SP and an IdP on different
(virtual) computers running Ubuntu 14.04 (they differ in the port numbers).
My IdP provides authentication with Feide, Facebook, LinkedIn, Google
and my own Drupal installation. It works well.
When I log in at the SP for the first time, and select any of the above
remote IdPs everything is OK. But when I log out and then log in again
(with the same account or a different one) I get a "state information
lost" message. However, after reselecting "default-sp" it turns out that
the last login was successful, and I have been logged in.
When I quit the browser (checked both with Chrome and Firefox), then
restart it and log in for the first time everything works fine. When I
clear the cookies without quitting the browser, everything works fine too.
I have been fighting with this issue for a couple of days. Can you help
me, please?
Peter Hanak
I am using SimpleSAMLphp 1.13.2. I have an SP and an IdP on different
(virtual) computers running Ubuntu 14.04 (they differ in the port numbers).
My IdP provides authentication with Feide, Facebook, LinkedIn, Google
and my own Drupal installation. It works well.
When I log in at the SP for the first time, and select any of the above
remote IdPs everything is OK. But when I log out and then log in again
(with the same account or a different one) I get a "state information
lost" message. However, after reselecting "default-sp" it turns out that
the last login was successful, and I have been logged in.
When I quit the browser (checked both with Chrome and Firefox), then
restart it and log in for the first time everything works fine. When I
clear the cookies without quitting the browser, everything works fine too.
I have been fighting with this issue for a couple of days. Can you help
me, please?
Peter Hanak
Hanák Péter
Nov 11, 2014, 8:10:19 AM11/11/14
to simple...@googlegroups.com
Hi,
The problem is with the 'SimpleSAMLAuthToken' cookie. If I set
'$checkToken' to 'FALSE' instead of 'TRUE' on line 1093 in
'simplesamlphp-1.13.2/lib/SimpleSAML/Session.php' (written by Andreas
Åkre Solberg) then everthing works well.
However, as Olav Morken wrote in
<https://groups.google.com/forum/#!searchin/simplesamlphp/authtoken$20logout/simplesamlphp/7nPTLk7NuJ0/KGzgCotdI1EJ>
this cookie "is a simple session-fixation protection".
How can this cookie be removed or forgotten on logout?
Thanks in advance,
Peter Hanak
The problem is with the 'SimpleSAMLAuthToken' cookie. If I set
'$checkToken' to 'FALSE' instead of 'TRUE' on line 1093 in
'simplesamlphp-1.13.2/lib/SimpleSAML/Session.php' (written by Andreas
Åkre Solberg) then everthing works well.
However, as Olav Morken wrote in
<https://groups.google.com/forum/#!searchin/simplesamlphp/authtoken$20logout/simplesamlphp/7nPTLk7NuJ0/KGzgCotdI1EJ>
this cookie "is a simple session-fixation protection".
How can this cookie be removed or forgotten on logout?
Thanks in advance,
Peter Hanak
Jaime Pérez Crespo
Nov 11, 2014, 2:03:49 PM11/11/14
to simple...@googlegroups.com
Hi Péter,
> On 11 Nov 2014, at 14:10 pm, Hanák Péter <peter...@gmail.com> wrote:
> The problem is with the 'SimpleSAMLAuthToken' cookie. If I set '$checkToken' to 'FALSE' instead of 'TRUE' on line 1093 in 'simplesamlphp-1.13.2/lib/SimpleSAML/Session.php' (written by Andreas Åkre Solberg) then everthing works well.
>
> However, as Olav Morken wrote in <https://groups.google.com/forum/#!searchin/simplesamlphp/authtoken$20logout/simplesamlphp/7nPTLk7NuJ0/KGzgCotdI1EJ>
> this cookie "is a simple session-fixation protection”.
And that’s what the cookie is indeed. If you don’t check the cookie, then you are opening for session fixation attacks. An attacker could somehow set a session cookie for you (one which he or she knows), and since the session cookie identifier does not change when logged in, if you now log in, the attacker just needs to use that session cookie to be logged in as you. The auth token is a cookie which is randomly generated after authentication, and its value is stored in the session itself. Since it’s random, it’s not predictable, and an attacker can’t know its value on beforehand, nor fix it in any way. If the auth token does not match the auth token stored for the session, then you are not considered logged in.
> How can this cookie be removed or forgotten on logout?
It should. And in any case, if it’s not removed after logout, it would be overwritten on the next login, so I don’t see any problem here.
If something as simple as that does not work for you, there must be a configuration error somewhere. If the error appears to be related with cookies, I would check the cookie configuration. And of course I would set SimpleSAMLphp in debug mode and check the log files for information that could lead to the reason of the error. Tracing the requests and responses in your browser is also a good idea.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
> On 11 Nov 2014, at 14:10 pm, Hanák Péter <peter...@gmail.com> wrote:
> The problem is with the 'SimpleSAMLAuthToken' cookie. If I set '$checkToken' to 'FALSE' instead of 'TRUE' on line 1093 in 'simplesamlphp-1.13.2/lib/SimpleSAML/Session.php' (written by Andreas Åkre Solberg) then everthing works well.
>
> However, as Olav Morken wrote in <https://groups.google.com/forum/#!searchin/simplesamlphp/authtoken$20logout/simplesamlphp/7nPTLk7NuJ0/KGzgCotdI1EJ>
> this cookie "is a simple session-fixation protection”.
> How can this cookie be removed or forgotten on logout?
If something as simple as that does not work for you, there must be a configuration error somewhere. If the error appears to be related with cookies, I would check the cookie configuration. And of course I would set SimpleSAMLphp in debug mode and check the log files for information that could lead to the reason of the error. Tracing the requests and responses in your browser is also a good idea.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Hanák Péter
Nov 12, 2014, 10:59:11 AM11/12/14
to simple...@googlegroups.com
Hi Jamie,
thank you for your suggestions.
Today, we have tested our SP/IdP installation with SimpleSAML_Logger and
Firefox with SAML Tracer plugin. We have found that the IdP returns the
AuthToken cookie it has received from the SP in its GET requests to the
SP but it returns another (new) cookie in its POST request to the SP.
This behaviour is common with all the remote IdPs behind our IdP. We
have checked also the config.php files (both on the IdP and the SP) but
found nothing wrong or suspicious.
Do you have any idea what can go wrong?
Kind regards,
Peter
thank you for your suggestions.
Today, we have tested our SP/IdP installation with SimpleSAML_Logger and
Firefox with SAML Tracer plugin. We have found that the IdP returns the
AuthToken cookie it has received from the SP in its GET requests to the
SP but it returns another (new) cookie in its POST request to the SP.
This behaviour is common with all the remote IdPs behind our IdP. We
have checked also the config.php files (both on the IdP and the SP) but
found nothing wrong or suspicious.
Do you have any idea what can go wrong?
Kind regards,
Peter
Hanák Péter
Nov 13, 2014, 10:09:45 AM11/13/14
to simple...@googlegroups.com
Hi,
I think I found the problem and the solution, or at least a workaround.
Problem: the AuthToken cookie is not deleted on logout at the SP side
(we use 'sql' datastore). When I start a new login the IdP side POSts a
new cookie - it should. However, because AuthToken is not NULL at the SP
side, checkToken fails. If AuthToken is NULL checkToken is not called.
Solution: deletion of AuthToken ('$this->authToken = NULL;') should be
added to function 'doLogout' in file
'simplesamlphp/lib/SimpleSAML/Session.php'; I added it to the end of the
function:
...
/* Delete data which expires on logout. */
$this->expireDataLogout();
$this->authToken = NULL;
}
I am not sure if this is the proper place or the best solution.
Regards,
Peter
I think I found the problem and the solution, or at least a workaround.
Problem: the AuthToken cookie is not deleted on logout at the SP side
(we use 'sql' datastore). When I start a new login the IdP side POSts a
new cookie - it should. However, because AuthToken is not NULL at the SP
side, checkToken fails. If AuthToken is NULL checkToken is not called.
Solution: deletion of AuthToken ('$this->authToken = NULL;') should be
added to function 'doLogout' in file
'simplesamlphp/lib/SimpleSAML/Session.php'; I added it to the end of the
function:
...
/* Delete data which expires on logout. */
$this->expireDataLogout();
$this->authToken = NULL;
}
I am not sure if this is the proper place or the best solution.
Regards,
Peter
Jaime Pérez Crespo
Nov 14, 2014, 9:42:00 AM11/14/14
to simple...@googlegroups.com
Hi Péter,
> On 12 Nov 2014, at 16:59 pm, Hanák Péter <peter...@gmail.com> wrote:
> Hi Jamie,
Actually it’s Jaime (spanish name, not american / british one :-)
> thank you for your suggestions.
>
> Today, we have tested our SP/IdP installation with SimpleSAML_Logger and Firefox with SAML Tracer plugin. We have found that the IdP returns the AuthToken cookie it has received from the SP in its GET requests to the SP but it returns another (new) cookie in its POST request to the SP. This behaviour is common with all the remote IdPs behind our IdP. We have checked also the config.php files (both on the IdP and the SP) but found nothing wrong or suspicious.
There’s something wrong in what you are saying in both this and the other messages. Cookies are local to a domain. Therefore, the IdP doesn’t see the SP cookies nor the other way araound. There’s no way an IdP can receive a cookie set by the SP, *unless* both are running in the same host / domain.
If that’s the case, I’m afraid you have a problem with your configuration in what relates to the cookie domain and path.
> On 12 Nov 2014, at 16:59 pm, Hanák Péter <peter...@gmail.com> wrote:
> Hi Jamie,
Actually it’s Jaime (spanish name, not american / british one :-)
> thank you for your suggestions.
>
> Today, we have tested our SP/IdP installation with SimpleSAML_Logger and Firefox with SAML Tracer plugin. We have found that the IdP returns the AuthToken cookie it has received from the SP in its GET requests to the SP but it returns another (new) cookie in its POST request to the SP. This behaviour is common with all the remote IdPs behind our IdP. We have checked also the config.php files (both on the IdP and the SP) but found nothing wrong or suspicious.
If that’s the case, I’m afraid you have a problem with your configuration in what relates to the cookie domain and path.
Reply all
Reply to author
Forward
0 new messages