Session expired after every 60 seconds.
293 views
Skip to first unread message
Pradip Shrestha
Dec 13, 2016, 8:33:20 AM12/13/16
to SimpleSAMLphp
Hi,
I have simplesaml setup in my project. I am using sql type session. Everything seems working fine. Assertions are being captured and users are able to login. But my problem is users get auto logged out every 90 seconds. This is stored in simplesaml_saml_LogoutStore table and is captured from assertion. I talked with my idp provider and they said that 90 seconds is for the validity of assertion and cannot be increased because it can cause session hijacking issue. He also said I need to implement/configure session on my end after user gets authenticated through idp. Is there any way I can store my own session and increase auto logout duration? Please suggest.
config.php:
---------
$config['store.type'] = 'sql';
$config['session.cookie.secure'] = true;
$config['enable.authmemcookie'] = false;
$config['session.cookie.name'] = 'PHPSESSID';
-Pradip
CIsSharp
Dec 13, 2016, 10:14:33 PM12/13/16
to SimpleSAMLphp
Any advice?
Jaime Perez Crespo
Dec 14, 2016, 4:07:05 AM12/14/16
to simple...@googlegroups.com
Hi Pradip,
On 14 Dec 2016, at 04:14 AM, CIsSharp <pr.p...@gmail.com> wrote:
> Any advice?
>
> On Tuesday, December 13, 2016 at 8:33:20 AM UTC-5, CIsSharp wrote:
> Hi,
>
> I have simplesaml setup in my project. I am using sql type session. Everything seems working fine. Assertions are being captured and users are able to login. But my problem is users get auto logged out every 90 seconds. This is stored in simplesaml_saml_LogoutStore table and is captured from assertion. I talked with my idp provider and they said that 90 seconds is for the validity of assertion and cannot be increased because it can cause session hijacking issue. He also said I need to implement/configure session on my end after user gets authenticated through idp. Is there any way I can store my own session and increase auto logout duration? Please suggest.
Since you are using SimpleSAMLphp as a service provider (you are delegating authentication to an IdP), I’m assuming you are using it to protect access to an application. Does that application have its own session?
> config.php:
> ---------
> $config['store.type'] = 'sql';
> $config['session.cookie.secure'] = true;
> $config['enable.authmemcookie'] = false;
> $config['session.cookie.name'] = 'PHPSESSID’;
“PHPSESSID" is the default name for PHP sessions, managed by PHP itself. However, you are telling SimpleSAMLphp to store its sessions in a SQL backend.
In your application, you are also most likely using sessions. If that application is written in PHP, it is also likely that it uses PHP to manage sessions, and that “PHPSESSID” is the session name. In that case, you will have SimpleSAMLphp saving a session to a SQL backend and keeping a “PHPSESSID” cookie, and your application will be unable to find that session (since it won’t use the SQL backend), so it will create a new one, overriding the contents of the “PHPSESSID” cookie.
In short: rename your SimpleSAML sessions. It doesn’t make any sense at all to name them “PHPSESSID” if you are using a SQL backend. It doesn’t make any sense at all to name them “PHPSESSID” in general, actually.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 14 Dec 2016, at 04:14 AM, CIsSharp <pr.p...@gmail.com> wrote:
> Any advice?
>
> On Tuesday, December 13, 2016 at 8:33:20 AM UTC-5, CIsSharp wrote:
> Hi,
>
> I have simplesaml setup in my project. I am using sql type session. Everything seems working fine. Assertions are being captured and users are able to login. But my problem is users get auto logged out every 90 seconds. This is stored in simplesaml_saml_LogoutStore table and is captured from assertion. I talked with my idp provider and they said that 90 seconds is for the validity of assertion and cannot be increased because it can cause session hijacking issue. He also said I need to implement/configure session on my end after user gets authenticated through idp. Is there any way I can store my own session and increase auto logout duration? Please suggest.
> config.php:
> ---------
> $config['store.type'] = 'sql';
> $config['session.cookie.secure'] = true;
> $config['enable.authmemcookie'] = false;
“PHPSESSID" is the default name for PHP sessions, managed by PHP itself. However, you are telling SimpleSAMLphp to store its sessions in a SQL backend.
In your application, you are also most likely using sessions. If that application is written in PHP, it is also likely that it uses PHP to manage sessions, and that “PHPSESSID” is the session name. In that case, you will have SimpleSAMLphp saving a session to a SQL backend and keeping a “PHPSESSID” cookie, and your application will be unable to find that session (since it won’t use the SQL backend), so it will create a new one, overriding the contents of the “PHPSESSID” cookie.
In short: rename your SimpleSAML sessions. It doesn’t make any sense at all to name them “PHPSESSID” if you are using a SQL backend. It doesn’t make any sense at all to name them “PHPSESSID” in general, actually.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
CIsSharp
Dec 14, 2016, 8:19:53 AM12/14/16
to SimpleSAMLphp
Thank you Jaime. I am using SimpleSamlPhp for saml login for one of our web application. I am using sql as store as I can see table are being populated. I replaced the PHPSESSIONID with different name and I even tried with removing it, but it did not change the behavior. I have attached the log for reference. The behavior is like this:
I would really appreciate if you can suggest me to resolve this issue.
1. Login through saml.
2. Wait for 90 seconds+.
3. Click any link or refresh page.
4. User gets logged off.
5. Navigate to saml login page.
6. It does redirect and auto logged in the user.
7. Repeat from 2
I debug the code in simplesamlphp and found:
In simplesamlphp-1.14.8/lib/SimpleSAML/Session.php, it returns false after 90 seconds because $this->authData[$authority]['expire'] is smaller than now. $this->authData[$authority]['expire'] is being received as metadata from service provider and they said it cannot be increased as there can be chance of hijacking of session. You can also check the log for details.
In simplesamlphp-1.14.8/lib/SimpleSAML/Session.php, it returns false after 90 seconds because $this->authData[$authority]['expire'] is smaller than now. $this->authData[$authority]['expire'] is being received as metadata from service provider and they said it cannot be increased as there can be chance of hijacking of session. You can also check the log for details.
public function isValid($authority)
{
assert('is_string($authority)');
if (!isset($this->authData[$authority])) {
SimpleSAML_Logger::debug(
'Session: '.var_export($authority, true).
' not valid because we are not authenticated.'
);
return false;
}
if ($this->authData[$authority]['Expire'] <= time()) {
SimpleSAML_Logger::debug('Session: '.var_export($authority, true).' not valid because it is expired.');
return false;
}
SimpleSAML_Logger::debug('Session: Valid session found with '.var_export($authority, true).'.');
return true;
}
I would really appreciate if you can suggest me to resolve this issue.
CIsSharp
Dec 14, 2016, 8:54:48 AM12/14/16
to SimpleSAMLphp
Reply all
Reply to author
Forward
0 new messages