What is the main purpose for session.state.timeout?

928 views
Skip to first unread message

Chin

unread,
Dec 7, 2011, 5:49:02 AM12/7/11
to simpleSAMLphp
Hi all,

I love simpleSAMLphp :)
Anyway, I am not sure what is the main purpose for
session.state.timeout? or in other words, I already have session
timeout set to 8 hours (default), what is the role for state timeout
which is on top of the session timeout?

I understand the default is 1 hour, but what happens if I set it to 8
hours or more, how will it affect the system?
or in other words, will there be any security concerns if I set it too
long? (or even disable it)

Thanks :)

Best regards

Olav Morken

unread,
Dec 7, 2011, 6:36:06 AM12/7/11
to simple...@googlegroups.com

The 'session.state.timeout' mainly controls the lifetime of the "login
operation". When it starts a login operation, it will save some
information about it to the session, and that information is then
retrieved when the response is received from the IdP.

(The same variable also controls the timeout for information about
other processes, e.g. logout.)

Best regards,
Olav Morken
UNINETT / Feide

Chin

unread,
Dec 7, 2011, 7:36:00 PM12/7/11
to simpleSAMLphp
Thanks Olav, you are always helpful!
Meanwhile, what are the significance or security concerns if for
example I have raised the timeout from 1 hour to 8 hours?

Best Regards
Chin

Olav Morken

unread,
Dec 8, 2011, 4:24:55 AM12/8/11
to simple...@googlegroups.com
On Wed, Dec 07, 2011 at 16:36:00 -0800, Chin wrote:
> Thanks Olav, you are always helpful!
> Meanwhile, what are the significance or security concerns if for
> example I have raised the timeout from 1 hour to 8 hours?

It only means that the user can spend a longer time on the login page,
and a slight increase of the session size (the data is kept in the
session for a longer time.)

But: Why do you want to increase this value? Do you have a problem with
users spending a long time at the login page?

Chin

unread,
Dec 8, 2011, 4:32:58 AM12/8/11
to simpleSAMLphp
Hi Olav,

Thanks again :)
The reason I am asking this is because of the following usage
behavior:
1) User login successfully
2) User play around with SP
3) User logout
4) After logout, the browser is shown with IDP login page
5) User open another tab (The tab with login page is still there), and
work on something else.
6) After an hour or two (or more) user goes back to the tab with login
page.
7) User try to login, but because that login page already expired, so
user login with 2nd attempt.

Anyhow, the knee-jerk reaction is that I should increase the expiry
time. But I am not sure if there are any security implications if I do
so.

Best Regards
Chin

Olav Morken

unread,
Dec 8, 2011, 9:03:55 AM12/8/11
to simple...@googlegroups.com
On Thu, Dec 08, 2011 at 01:32:58 -0800, Chin wrote:
> Hi Olav,
>
> Thanks again :)
> The reason I am asking this is because of the following usage
> behavior:
> 1) User login successfully
> 2) User play around with SP
> 3) User logout
> 4) After logout, the browser is shown with IDP login page
> 5) User open another tab (The tab with login page is still there), and
> work on something else.
> 6) After an hour or two (or more) user goes back to the tab with login
> page.
> 7) User try to login, but because that login page already expired, so
> user login with 2nd attempt.
>
> Anyhow, the knee-jerk reaction is that I should increase the expiry
> time. But I am not sure if there are any security implications if I do
> so.

There should not be any security problems with doing it.

Reply all
Reply to author
Forward
0 new messages