Skip to content

Session state in EB 4.0.0

Boy Baukema edited this page Mar 31, 2014 · 6 revisions

This page describes all session state kept for users.

Cookies

PHPSESSID

Session identifier. This is the temporary token handed to a user and kept in a HTTP cookie (sent with every request) that grants the user access to his/her session.

Note that this name depends on the session.name setting and it's scope depends on session.cookie-domain.

It's lifetime depends on session configuration but by default this is a 'session cookie' meaning that the browser will delete it when it is closed.

lang

Language to show the user interface in (defaults to en).

It's scope and lifetime depends on EngineBlock configuration, by default this is:

; Language Cookie settings
cookie.lang.domain = ".surfconext.nl"
; Cookie expiry time, specify the time in seconds, set empty to let the cookie get expired after the session
cookie.lang.expiry = 5184000 ; 60 days in seconds

selectedidp

Entity ID of the Identity Provider that was previously selected and will be shown as 'suggested' in the Identity Provider discover screen.

It's scope is the current domain, it's lifetime is 3 months.

Session data

Operational

SAMLRequest

We store all received SAML2 Requests for the duration of the session to:

  • Enable use of Discovery screen without replaying AuthnRequest.
  • Look up original Service Provider after the user returns from the Identity Provider with a SAML2 Response.

SAMLResponse

We cache all received SAML2 Responses for the duration of the session and reuse these when a user from a Service Provider does a new AuthnRequest. EngineBlock recognises 2 ways to reuse a response:

  1. A user does a new AuthnRequest from the same Service Provider and that Service Provider is still allowed to access the same Identity Provider. In this case the same Response (from the IdP) is used to create a new Response (saving the round trip to the IdP).
  2. A user does a new AUthnRequest from a different SP. In this case EngineBlock will request the list of available IdPs and if the user has a cached response from one of these then the user will not be shown a Discovery screen but will be redirected to the IdP.

Consent

We store the response between asking for and having given the response.

Processing

Corto has a mechanism called "Processing" which is used for steps that require user input, storing the login flow state, asking for user input and upon getting the user input retrieving the login flow state and continuing to the next step or to sending the response to the SP.

Profile Group OAuth data

Profile allows users to add a Group Provider via OAuth. The 'return_url' (where to return to) and the OAuth Request Token are persisted in session storage.

CollabPersonId

The 'collabPersonId' or federation identifier (urn:collab:person...) is determined during processing of the incoming Response, but required during the entire flow, as such it is persisted in the session storage.

Transient NameID

Within a given session EB will should never give out a different Transient NameID for the same combination of SP and IdP.

Auditing

We store various data for auditing:

  • Last error feedback data
  • Logging (used when an error occurs)
  • Current ServiceProvider / Identity Provider (for logging, even before response validation)
  • Response from Idp for Idp Debugging

Session timeout

EngineBlock uses the native PHP Session controls that means the settings described at "Session Configuration" on php.net are relevant.

By default this will mean that a session will live 24 minutes past it's last accessed date.