Re-authenticate after inactivity time out
55 views
Skip to first unread message
Mansfield Autism
Sep 24, 2025, 9:47:40 PMSep 24
to SimpleSAMLphp
Hi all,
I have a web based application that I've built for our Non-Profit. While it's an extensive application, there is nothing complicated about it. It's a CRUD application in essence built with vanilla php, html and CSS. I do make use of $_SESSION to pass values between pages, for example to return values to forms when the forms don't pass validation.
I don't have much understanding of SAML itself but have gotten the following to work, by following the docs.
I'm using SimpleSAMLphp (version 2.4.2) to authenticate my application using SSO against our Entra tenant. This works well and I am asked to log in once every morning, I believe the tenant SSO App is set to 8 hour session (default).
Every page has simplesamlphp at the top to check if it is still logged in and if not, it invokes our MS tenant login.
I have been asked to have the application require reauthentication after 1 hour of inactivity, for security reasons.
I have a separate application used for testing with a separate instance of simplesamlphp and it's own SP name. It works without affecting the production application.
The config file has all the session settings at default. My understanding is that the session times cause the application to either log out or reauthenticate based on the time of the session, not based on inactivity?
I have tried the following code (with time-out set for 3 minutes for testing purposes) and it works, but because of SSO it logs out of all programs, i.e. MS Office etc.
$as = new \SimpleSAML\Auth\Simple('mytest-sp');
if (!$as->isAuthenticated()) {
$as->requireAuth();
}
$attributes = $as->getAttributes();
$emailAddress = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0];
if (!isset($_SESSION['last_activity'])) {
$_SESSION['last_activity'] = time();
}
$last_activity = $_SESSION['last_activity'];
$session_duration = 180; // 3 minutes in seconds
if (time() - $last_activity > $session_duration) {
$as->logout('https://mywebsite.org/logged-out.php');
}
$_SESSION['last_activity'] = time();
If I replace $as->logout with $as->requireAuth() then after the 3 minutes I can see a flash in the address bar of the application going to MS , finding out it is still logged in and returning to the current page (I am assuming).
I then discovered $as->requireAuth(['ForceAuthn' => true]); which I believe our Tenant does support, but with ForceAuthn in the code, when the 3 minutes expires and I refresh, nothing happens, not even the flash of long url in the address bar of checking in with MS tenant.
Am I barking up the wrong tree here?
Is there an easier way to achieve force re-authentication after set time of inactivity?
Any help or insight would be greatly appreciated, thanks in advance,
Alan.
I have a web based application that I've built for our Non-Profit. While it's an extensive application, there is nothing complicated about it. It's a CRUD application in essence built with vanilla php, html and CSS. I do make use of $_SESSION to pass values between pages, for example to return values to forms when the forms don't pass validation.
I don't have much understanding of SAML itself but have gotten the following to work, by following the docs.
I'm using SimpleSAMLphp (version 2.4.2) to authenticate my application using SSO against our Entra tenant. This works well and I am asked to log in once every morning, I believe the tenant SSO App is set to 8 hour session (default).
Every page has simplesamlphp at the top to check if it is still logged in and if not, it invokes our MS tenant login.
I have been asked to have the application require reauthentication after 1 hour of inactivity, for security reasons.
I have a separate application used for testing with a separate instance of simplesamlphp and it's own SP name. It works without affecting the production application.
The config file has all the session settings at default. My understanding is that the session times cause the application to either log out or reauthenticate based on the time of the session, not based on inactivity?
I have tried the following code (with time-out set for 3 minutes for testing purposes) and it works, but because of SSO it logs out of all programs, i.e. MS Office etc.
$as = new \SimpleSAML\Auth\Simple('mytest-sp');
if (!$as->isAuthenticated()) {
$as->requireAuth();
}
$attributes = $as->getAttributes();
$emailAddress = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0];
if (!isset($_SESSION['last_activity'])) {
$_SESSION['last_activity'] = time();
}
$last_activity = $_SESSION['last_activity'];
$session_duration = 180; // 3 minutes in seconds
if (time() - $last_activity > $session_duration) {
$as->logout('https://mywebsite.org/logged-out.php');
}
$_SESSION['last_activity'] = time();
If I replace $as->logout with $as->requireAuth() then after the 3 minutes I can see a flash in the address bar of the application going to MS , finding out it is still logged in and returning to the current page (I am assuming).
I then discovered $as->requireAuth(['ForceAuthn' => true]); which I believe our Tenant does support, but with ForceAuthn in the code, when the 3 minutes expires and I refresh, nothing happens, not even the flash of long url in the address bar of checking in with MS tenant.
Am I barking up the wrong tree here?
Is there an easier way to achieve force re-authentication after set time of inactivity?
Any help or insight would be greatly appreciated, thanks in advance,
Alan.
Mansfield Autism
Sep 26, 2025, 5:54:45 AMSep 26
to SimpleSAMLphp
The thing that is making this hard to understand and is confusing me is
$as->requireAuth(['ForceAuthn' => true]);
}
If I change the session values in my config.php to:
'session.duration' => 5 * 60, // 5 minutes.
'session.datastore.timeout' => (3 * 60), // 3 minutes.
'session.datastore.timeout' => (3 * 60), // 3 minutes.
and then have this at the top of my page:
$as = new \SimpleSAML\Auth\Simple('default-sp');
if (!$as->isAuthenticated()) {
if (!$as->isAuthenticated()) {
$as->requireAuth(['ForceAuthn' => true]);
}
Then once 5 minutes has expired I am sent to the MS Login page as expected and asked to authenticate again (username, password, and MFA Authenticator).
It does not log me out of other MS apps I am in in the same browser, like office.
This is the behaviour I am trying to achieve but after inactivity, not after time period.
I refreshed the page every minute, but it still sent me for re-authentication after 5 minutes.
This also proves that
'ForceAuthn' => true is supported and works, just not with the inactivity code I have written.
Does this give a clue to anyone?
Tim van Dijen
Sep 26, 2025, 6:06:56 AMSep 26
to SimpleSAMLphp
Hi Alan,
$as->requireAuth(['ForceAuthn' => true]); will not do anything if the user still have a valid session.
To bypass this and enforce re-authentication, you can do:
$as->login(['ForceAuthn' => true]);
- Tim
$as->requireAuth(['ForceAuthn' => true]); will not do anything if the user still have a valid session.
To bypass this and enforce re-authentication, you can do:
$as->login(['ForceAuthn' => true]);
- Tim
Op vrijdag 26 september 2025 om 11:54:45 UTC+2 schreef in...@autismmansfield.org.au:
Mansfield Autism
Oct 1, 2025, 8:03:04 PMOct 1
to SimpleSAMLphp
Hi Tim, thanks for your reply.
$as = new \SimpleSAML\Auth\Simple('default-sp');
if (!$as->isAuthenticated()) {
}
if (!isset($_SESSION['last_activity'])) {
$_SESSION['last_activity'] = time();
}
$last_activity = $_SESSION['last_activity'];
$as->login(['ForceAuthn' => true]);
}
I feel your answer gets me close but it loops through the login process.
this is the code I currently have on my test page.
require_once __DIR__ . '/../../../../simplesamlphp-test/src/_autoload.php';
$as = new \SimpleSAML\Auth\Simple('default-sp');
if (!$as->isAuthenticated()) {
// User is not authenticated in the SP session, initiate authentication
$as->requireAuth();
$as->requireAuth();
}
if (!isset($_SESSION['last_activity'])) {
$_SESSION['last_activity'] = time();
}
$last_activity = $_SESSION['last_activity'];
$sessionTimeoutDuration = 180; // 3 minutes in seconds
if (time() - $last_activity > $sessionTimeoutDuration) {
if (time() - $last_activity > $sessionTimeoutDuration) {
$as->login(['ForceAuthn' => true]);
}
$attributes = $as->getAttributes();
$emailAddress = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0];
$emailAddress = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0];
$_SESSION['last_activity'] = time();
After 3 minutes of inactivity it times out and on refresh, sends me off to our tenant to login using username password and authenticator, Yay! except it loops endlessly through this.
username, password, MS Authenticator on phone, success but back to username, password Authenticator etc.
I have another page open with the same code but timeout set to 10 minutes, and it loads OK and then lets me load this page (3 minute timeout)ok.
I did try changing
$as->login(['ForceAuthn' => true]);
to
$as->login(); but it went to the tenant and got stuck in a loop of the login address with different parameters flashing up for Request= i.e.
https://login.microsoftonline.com/<our-tenant-id>/saml2?SAMLRequest=jVJNj9MwEP0rke%2FOh9 followed by the long string of parameters.
The only way to break the cycling through different parameter combos is to refresh the other tab with the 10 minute timeout and then I can load both pages fine again.
These two pages that I have a test pages and the code above is the only php code on them. They have some html after the php to show me that the page has loaded.
I feel I am close, but my lack of understanding of how this is supposed to work is preventing me from getting there.
If I change the top
if (!$as->isAuthenticated()) {
// User is not authenticated in the SP session, initiate authentication
$as->requireAuth();
}
// User is not authenticated in the SP session, initiate authentication
$as->requireAuth();
}
to
$as->requireAuth(['ForceAuthn' => true]);
and let the actual simplasamlphp session timeout due to the session settings in config, then it does send me to the tenant to login in and authenticate but works as it should and after authenticating, returns me to the appliocation and loads the page.
If you or anyone else can see something obvious, I'd love the help.
Mansfield Autism
Oct 1, 2025, 8:03:17 PMOct 1
to SimpleSAMLphp
Hi Tim,
$as->login(['ForceAuthn' => true]);
}
Thanks for your help. I worked out that the $_SESSION['last_activity'] was still set after re-logging in, so it was sending the user back to log in again, every time.
I've added unset and it works like a charm now.
if (time() - $last_activity > $sessionTimeoutDuration) {
unset($_SESSION['last_activity']);
$as->login(['ForceAuthn' => true]);
}
Thank you greatly for your help.
On Friday, September 26, 2025 at 8:06:56 PM UTC+10 Tim van Dijen wrote:
Reply all
Reply to author
Forward
0 new messages