What activity resets OIDCSessionInactivityTimeout timer?

[chrisinmtown]

What browser requests reset the session inactivity timeout timer in mod auth openidc?

We have an Angular single-page app served by Apache HTTPD with mod_auth_openidc, which also protects the backend REST API. I configured mod_auth_openidc with OIDCSessionInactivityTimeout 1800; i.e., 30 minutes. The app automatically refreshes some data via a REST request every 15 minutes, and every REST request sets the header X-Requested-With=XMLHttpRequest. However we see after about 30 minutes the data endpoint returns 401, that the session has timed out, even tho I can see in the browser console that there definitely was activity in that interval. It's like these REST requests don't reset the inactivity timeout.

Please help me understand this behavior, thanks.

[zandbelt]

if the request contains a session cookie it will reset the inactivity timeout, regardless of the type of the request; you should be able to verify the resetting in the server debug logs, i.e.:

src/mod_auth_openidc.c(851): oidc_log_session_expires: session inactivity timeout: Wed, 03 Nov 2021 08:49:01 GMT (in 1799 secs from now)

[chrisinmtown]

Thanks for the quick reply. I am posting to confirm that the timeout is working exactly as described. I turned on debug and found that log output, which confirms that mod_auth_oidc accepted the timeout config of 1800 seconds:

[Fri Nov 12 12:59:35.181188 2021] [auth_openidc:debug] [pid 7:tid 139964310345472] src/mod_auth_openidc.c(850): [client 192.168.99.1:58596] oidc_log_session_expires: session inactivity timeout: Fri, 12 Nov 2021 13:29:34 GMT (in 1798 secs from now), referer: https://engine-dev.my.company.com:63443/timeline

Then I waited 15 minutes for the app to poll the backend and I saw the timer was definitely reset:

[Fri Nov 12 13:14:35.357641 2021] [auth_openidc:debug] [pid 92:tid 139964218025728] src/mod_auth_openidc.c(850): [client 192.168.99.1:59679] oidc_log_session_expires: session inactivity timeout: Fri, 12 Nov 2021 13:44:35 GMT (in 1799 secs from now), referer: https://engine-dev.my.company.com:63443/timeline

Waited the next 15 minutes and again all was as expected:

[Fri Nov 12 13:29:35.355612 2021] [auth_openidc:debug] [pid 92:tid 139964201240320] src/mod_auth_openidc.c(850): [client 192.168.99.1:60607] oidc_log_session_expires: session inactivity timeout: Fri, 12 Nov 2021 13:59:35 GMT (in 1799 secs from now), referer: https://engine-dev.my.company.com:63443/timeline

At 45 minutes a different thing happened, I see the real cause of the problem was exceeding the max session duration:

[Fri Nov 12 13:44:35.356537 2021] [auth_openidc:warn] [pid 92:tid 139964327130880] [client 192.168.99.1:61821] oidc_check_max_session_duration: maximum session duration exceeded for user: [email protected], referer: https://engine-dev.my.company.com:63443/timeline

I will look into that further and not clutter this discussion.

[OlivierBOEL]

Aren't you hitting OIDCSessionMaxDuration?