-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Abandon cookie as session storage for v2.0.0 #275
Comments
Hey, What kind of help do you want? |
in which conditions the AWOL occurs? |
We haven't seen a common cause. It happens on all browsers on all platforms except of course the ones we test with. Regarding help: This ticket has the label 'help wanted'. What kind of help do you want? |
Do you have configured the samesite cookie? Help wanted -> tests and answers are needed |
set-cookie: saml_session=LONGSTRING; HttpOnly; Path=/; SameSite=None; Secure A lot of people are able to login. It's only some whom get the error 'UnsolicitedResponse'. edit removed '<' '>' around LONGSTRING to get it to show. |
it's something up to the users' user-agent please ask to them the user-agent and its version |
Could you elaborate? |
user-agent, I mean the web browser used by users |
Most errors come from: Chrome 105 - 107 Split evenly between windows, iOS and Mac. |
Doesn't its request have the saml2 cookie? |
Which request and which cookie exactly? |
Saml2 Response issued by idp triggers a post http request submitted by user's web browser to your sp In this request you should see the cookie your SP created previously, this links the Response to the request to the useragent, in your sp |
Logging shows the OutstandingQueriesCache is empty for users that encounter this problem. |
Hi, I can confirm we have the same issue with cookie going AWOL. Not sure of the cause either. |
The naive way to resolve this issue is enabling the unsolicited response in the SP but this lowers the security If I were you I would investigate way the SP SAML SESSION cookie is not returned back to the SP when the HTTP POST happens from the IDP side to provide the Saml Response back to the SP |
Due to the latest cookie restrictions made by modern web browser, eg: samesite cookie, I'm wondering if it were time to rewrite entirely the session backend used to store SAML2 requests.
Here we have how djangosaml2 handles the persistence, in saml_session cookie:
djangosaml2/djangosaml2/cache.py
Line 71 in 57ad2ba
I'd abadon cookie storage and move to a DB storage (RDBMS or NoSQL). The SAML2 requests alwasy come with an ID and this will be involved in lookup. This will also introduce a stronger replay attack prevention strategy, based on parsing and matching the SAML2 request on all those already stored, nothing else.
In each stored saml2 request there will be a link to user that have been authenticated with it and also the SAML2 response as evidence of that.
They would have an expiration time equal to the corrisponding SAML2 NotOnOrAfter condition and it would be periodically purged (scheduled or NoSQL strategy like Redis TTL).
see also
https://github.com/WICG/WebID/blob/main/cookies.md
The text was updated successfully, but these errors were encountered: