Re-authenticate after inactivity time out
22 views
Skip to first unread message
Mansfield Autism
Sep 24, 2025, 9:47:40 PM (3 days ago) Sep 24
to SimpleSAMLphp
Hi all,
I have a web based application that I've built for our Non-Profit. While it's an extensive application, there is nothing complicated about it. It's a CRUD application in essence built with vanilla php, html and CSS. I do make use of $_SESSION to pass values between pages, for example to return values to forms when the forms don't pass validation.
I don't have much understanding of SAML itself but have gotten the following to work, by following the docs.
I'm using SimpleSAMLphp (version 2.4.2) to authenticate my application using SSO against our Entra tenant. This works well and I am asked to log in once every morning, I believe the tenant SSO App is set to 8 hour session (default).
Every page has simplesamlphp at the top to check if it is still logged in and if not, it invokes our MS tenant login.
I have been asked to have the application require reauthentication after 1 hour of inactivity, for security reasons.
I have a separate application used for testing with a separate instance of simplesamlphp and it's own SP name. It works without affecting the production application.
The config file has all the session settings at default. My understanding is that the session times cause the application to either log out or reauthenticate based on the time of the session, not based on inactivity?
I have tried the following code (with time-out set for 3 minutes for testing purposes) and it works, but because of SSO it logs out of all programs, i.e. MS Office etc.
$as = new \SimpleSAML\Auth\Simple('mytest-sp');
if (!$as->isAuthenticated()) {
$as->requireAuth();
}
$attributes = $as->getAttributes();
$emailAddress = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0];
if (!isset($_SESSION['last_activity'])) {
$_SESSION['last_activity'] = time();
}
$last_activity = $_SESSION['last_activity'];
$session_duration = 180; // 3 minutes in seconds
if (time() - $last_activity > $session_duration) {
$as->logout('https://mywebsite.org/logged-out.php');
}
$_SESSION['last_activity'] = time();
If I replace $as->logout with $as->requireAuth() then after the 3 minutes I can see a flash in the address bar of the application going to MS , finding out it is still logged in and returning to the current page (I am assuming).
I then discovered $as->requireAuth(['ForceAuthn' => true]); which I believe our Tenant does support, but with ForceAuthn in the code, when the 3 minutes expires and I refresh, nothing happens, not even the flash of long url in the address bar of checking in with MS tenant.
Am I barking up the wrong tree here?
Is there an easier way to achieve force re-authentication after set time of inactivity?
Any help or insight would be greatly appreciated, thanks in advance,
Alan.
I have a web based application that I've built for our Non-Profit. While it's an extensive application, there is nothing complicated about it. It's a CRUD application in essence built with vanilla php, html and CSS. I do make use of $_SESSION to pass values between pages, for example to return values to forms when the forms don't pass validation.
I don't have much understanding of SAML itself but have gotten the following to work, by following the docs.
I'm using SimpleSAMLphp (version 2.4.2) to authenticate my application using SSO against our Entra tenant. This works well and I am asked to log in once every morning, I believe the tenant SSO App is set to 8 hour session (default).
Every page has simplesamlphp at the top to check if it is still logged in and if not, it invokes our MS tenant login.
I have been asked to have the application require reauthentication after 1 hour of inactivity, for security reasons.
I have a separate application used for testing with a separate instance of simplesamlphp and it's own SP name. It works without affecting the production application.
The config file has all the session settings at default. My understanding is that the session times cause the application to either log out or reauthenticate based on the time of the session, not based on inactivity?
I have tried the following code (with time-out set for 3 minutes for testing purposes) and it works, but because of SSO it logs out of all programs, i.e. MS Office etc.
$as = new \SimpleSAML\Auth\Simple('mytest-sp');
if (!$as->isAuthenticated()) {
$as->requireAuth();
}
$attributes = $as->getAttributes();
$emailAddress = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0];
if (!isset($_SESSION['last_activity'])) {
$_SESSION['last_activity'] = time();
}
$last_activity = $_SESSION['last_activity'];
$session_duration = 180; // 3 minutes in seconds
if (time() - $last_activity > $session_duration) {
$as->logout('https://mywebsite.org/logged-out.php');
}
$_SESSION['last_activity'] = time();
If I replace $as->logout with $as->requireAuth() then after the 3 minutes I can see a flash in the address bar of the application going to MS , finding out it is still logged in and returning to the current page (I am assuming).
I then discovered $as->requireAuth(['ForceAuthn' => true]); which I believe our Tenant does support, but with ForceAuthn in the code, when the 3 minutes expires and I refresh, nothing happens, not even the flash of long url in the address bar of checking in with MS tenant.
Am I barking up the wrong tree here?
Is there an easier way to achieve force re-authentication after set time of inactivity?
Any help or insight would be greatly appreciated, thanks in advance,
Alan.
Mansfield Autism
Sep 26, 2025, 5:54:45 AM (yesterday) Sep 26
to SimpleSAMLphp
The thing that is making this hard to understand and is confusing me is
$as->requireAuth(['ForceAuthn' => true]);
}
If I change the session values in my config.php to:
'session.duration' => 5 * 60, // 5 minutes.
'session.datastore.timeout' => (3 * 60), // 3 minutes.
'session.datastore.timeout' => (3 * 60), // 3 minutes.
and then have this at the top of my page:
$as = new \SimpleSAML\Auth\Simple('default-sp');
if (!$as->isAuthenticated()) {
if (!$as->isAuthenticated()) {
$as->requireAuth(['ForceAuthn' => true]);
}
Then once 5 minutes has expired I am sent to the MS Login page as expected and asked to authenticate again (username, password, and MFA Authenticator).
It does not log me out of other MS apps I am in in the same browser, like office.
This is the behaviour I am trying to achieve but after inactivity, not after time period.
I refreshed the page every minute, but it still sent me for re-authentication after 5 minutes.
This also proves that
'ForceAuthn' => true is supported and works, just not with the inactivity code I have written.
Does this give a clue to anyone?
Tim van Dijen
Sep 26, 2025, 6:06:56 AM (yesterday) Sep 26
to SimpleSAMLphp
Hi Alan,
$as->requireAuth(['ForceAuthn' => true]); will not do anything if the user still have a valid session.
To bypass this and enforce re-authentication, you can do:
$as->login(['ForceAuthn' => true]);
- Tim
$as->requireAuth(['ForceAuthn' => true]); will not do anything if the user still have a valid session.
To bypass this and enforce re-authentication, you can do:
$as->login(['ForceAuthn' => true]);
- Tim
Op vrijdag 26 september 2025 om 11:54:45 UTC+2 schreef in...@autismmansfield.org.au:
Reply all
Reply to author
Forward
0 new messages