Knowing shared memory usage for session cache ?

[cnico]

Hi,

We are facing an issue in production for internal services : we have a huge number of redirections to our oidc provider (which is keycloak) something like many times more than the number of connected.
We have around 2000 users and it generates 80000 requests of authentification to keycloak which seems not normal to me.

As it is internal services, we have set :
OIDCSessionInactivityTimeout 28800

The documentation indicates "When caching a large number of entries the cache size limit may be reached and the least recently used entry will be overwritten. If this happens within 1 hour, errors will be displayed in the error.log and the OIDCCacheShmMax value may be increased."
I suspect our problem could be related to the default sizing of OIDCCacheShmMax which is 500 but we have no errors in the log file.
What error message would be logged if the cache size was detected has an issue ?
I suspect 1 hour interval is too long in our case, it would perhaps be better to check it every ten minutes but it does not seems to be configurable.

In order to confirm that, I would like to know if there is a way to check the effective number of OIDC Cache shared memory entries ?
If augmenting the OIDCCacheShmMax solves our problem, I consider, monitoring this value in time. Is there a way from a linux command, apache command or http check way to monitor this value constantly ?

For debuging considerations, is there a way to list all the shared memory oidc sessions (at least the keys) ?

Final question, do you think it is more advisable to use a file cache mechanism over the shared memory default one in our situation ?

Thanks for your help and the work on mod_auth_openidc,

[zandbelt]

I don't think caching is the issue, more probably an SPA/cookie issue, see: https://github.com/zmartzone/mod_auth_openidc/wiki/Single-Page-Applications#avoid-state-cookie-overload, a version upgrade may help

[cnico]

Actually the server serves quite old applications (Struts 1 apps only) so there is no SPA applications in this case...

The OIDCCacheShmMax has one entry per session or one entry may contain many sessions data ? And how many ?