session.cookie.domain and Internet Explorer lost state

[Matt Blubaugh]

I am having a problem where leaving the session.cookie.domain value to the default of NULL causes a consistent state lost error in IE7 through IE9.

I have three service providers and one identity provider. The service providers reside on unique top level domains and the identity provider is a sub domain of one of the three. The login / logout works great in Chrome, Firefox and IE10.

I only discovered today that it does not work in IE7 through IE9. What do I need to set the session.cookie.domain to? When I set an explicit value of something like ".domain1.com" it works in IE7 through IE9 but then the cookie isn't accessible from the other domains. So if you're logged in on domain1, domain2 and domain3 don't know that. 

How do I make this work with Internet Explorer?

[Matt Blubaugh]

I am using version 1.10.0.

[Peter Schober]

* Matt Blubaugh <matt.b...@gmail.com> [2013-04-18 22:19]:

> I only discovered today that it does not work in IE7 through IE9. What do I
> need to set the session.cookie.domain to? When I set an explicit value of
> something like ".domain1.com" it works in IE7 through IE9 but then the
> cookie isn't accessible from the other domains. So if you're logged in on
> domain1, domain2 and domain3 don't know that.

What "the cookie"? SAML doesn't care about DNS domains in the least.
It works well if you scope each HTTP cookie only to each FQDN for
every IDP and SP involved, which is also the default for SSP.
No requirement for cookies shared across hosts, not with any version
of any webbrowser.

Did you have a look at the state lost topic in the documentation to
help you with your current problem?
-peter

[Matt Blubaugh]

I've enabled debug level logging and I'm trying to parse the output. There is a message about an Invalid AuthToken cookie that only occurs with IE7 - IE9. The session tracking id (in square brackets) before the Invalid AuthToken Cookie is different from the one after the error.

e.g.

...

Apr 19 10:03:05 simplesamlphp DEBUG [03261c032c] Session: doLogin("default-sp")

Apr 19 10:03:05 simplesamlphp WARNING [NA] Invalid AuthToken cookie.

Apr 19 10:03:05 simplesamlphp WARNING [8b895d80d1] Invalid AuthToken cookie.

Apr 19 10:03:05 simplesamlphp DEBUG [8b895d80d1] Session: 'default-sp' not valid because we are not authenticated.

Apr 19 10:03:05 simplesamlphp DEBUG [8b895d80d1] Saved state: '_2d01c01bb47e6f9a300044c817436ab70ceaac316a'

...

I will keep trying.

[Matt Blubaugh]

It now appears to work in IE8 and IE9. I had to explicitly set the session.cookie.domain value for the identity provider (on a sub domain) to be ".domain.com".

Log in appears to work in IE7 but the log out results in the State Information Lost error.

This error appears in the Apache error log:

The first argument should be either a string or an integer in /__my-dir__/vendor/simplesamlphp-1.10.0/lib/SimpleSAML/Configuration.php on line 314,

[Matt Blubaugh]

Spoke too soon. Back to receiving the lost state error.

Still getting this error in the simple saml log which I do not understand: