Proper behaviour to a LogoutRequest with invalid session id
2 views
Skip to first unread message
Marco Ferrante
Mar 9, 2026, 9:49:10 AM (4 days ago) Mar 9
to SimpleSAMLphp
Hi,
I return on a question with no response in the past: when a SP
endpoint receive a <LogoutRequest>, it search for the user session using
the SSP cookie as key.
If not a such session exists, the SP fails with a NOSTATE exception
which shows a error page to the user and break the SLO process,
preventing to propagate to other SPs partecipant.
It is not relevant why the SP couldn't find the session, the point is
there is no reason to fail.
Invalidating an existent session or ignoring a non existent one are
idempotent behaviour.
Unfortunately, SAML specs are not clear on the expected behaviour,
because <LogoutResponse> doesn't provide a suitable Status code.
I could work on the issue (not breaking the SLO process when the session
doesn't exists), but I need a clue on the direction:
alternative 1) the SLO endpoint return a <RequestResponse> with a proper
Error status (which one?) instead of raising an Exception, leaving to
the IdP further actions
alternative 2) the SLO endpoint return a RequestResponse with a
Success status even in the case no user session can be retrieved
alternative 3) the SLO procedure ignores cookies and identifies the
session using only <NameID>/<SessionIndex> and, if found, destroy it. If
it not returns Success anyway, this is a partial solution that work when
Login and Logout endpoint are in differents virtual hosts sharing the
same SSP entityId
Thanks.
--
Marco Ferrante (ma...@csita.unige.it)
Caposervizio e-learning, multimedia e strumenti web
tel. 010 209-51521 https://www.aulaweb.unige.it/
Area ICT
Università degli Studi di Genova
c/o Palazzo Serra, Piazza Santa Sabina, 2
16124 Genova GE (Italy)
mailto: st...@aulaweb.unige.it
I return on a question with no response in the past: when a SP
endpoint receive a <LogoutRequest>, it search for the user session using
the SSP cookie as key.
If not a such session exists, the SP fails with a NOSTATE exception
which shows a error page to the user and break the SLO process,
preventing to propagate to other SPs partecipant.
It is not relevant why the SP couldn't find the session, the point is
there is no reason to fail.
Invalidating an existent session or ignoring a non existent one are
idempotent behaviour.
Unfortunately, SAML specs are not clear on the expected behaviour,
because <LogoutResponse> doesn't provide a suitable Status code.
I could work on the issue (not breaking the SLO process when the session
doesn't exists), but I need a clue on the direction:
alternative 1) the SLO endpoint return a <RequestResponse> with a proper
Error status (which one?) instead of raising an Exception, leaving to
the IdP further actions
alternative 2) the SLO endpoint return a RequestResponse with a
Success status even in the case no user session can be retrieved
alternative 3) the SLO procedure ignores cookies and identifies the
session using only <NameID>/<SessionIndex> and, if found, destroy it. If
it not returns Success anyway, this is a partial solution that work when
Login and Logout endpoint are in differents virtual hosts sharing the
same SSP entityId
Thanks.
--
Marco Ferrante (ma...@csita.unige.it)
Caposervizio e-learning, multimedia e strumenti web
tel. 010 209-51521 https://www.aulaweb.unige.it/
Area ICT
Università degli Studi di Genova
c/o Palazzo Serra, Piazza Santa Sabina, 2
16124 Genova GE (Italy)
mailto: st...@aulaweb.unige.it
Reply all
Reply to author
Forward
0 new messages