Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Entra ID: 5 min session expiration #1347

Answered by zandbelt
mayrstefan asked this question in Q&A
Discussion options

We followed https://github.com/OpenIDC/mod_auth_openidc/wiki/Microsoft-Entra-ID--(Azure-AD) and configured to session type as OIDCSessionType client-cookie:persistent.

This works but the session cookie expires after 5 minutes and we are redirected to the Microsoft Login. Is there some configuration that needs to be changed on the Entra ID side or can this be fixed within mod_auth_openidc configs?

We use version 2.3.8 as part of SLES15. If this is a known issue that was fixed in a later version I can open a ticket with SUSE to upgrade the package to a version that fixes that.
You must be logged in to vote

firstly, 2.3.8 is 7 years old, you must not use security software in production that has not been updated since 2018

then, one should not use a persistent session cookie as it survives restarts and doesn't allow the user to logout by killing the browser, which is a security risk as well

lastly, you are most likely running into a session inactivity timeout, as the default setting is 5 mins, see:
https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.18/auth_openidc.conf#L632-L634

Replies: 1 comment 1 reply

Comment options

firstly, 2.3.8 is 7 years old, you must not use security software in production that has not been updated since 2018

then, one should not use a persistent session cookie as it survives restarts and doesn't allow the user to logout by killing the browser, which is a security risk as well

lastly, you are most likely running into a session inactivity timeout, as the default setting is 5 mins, see:
https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.18/auth_openidc.conf#L632-L634

You must be logged in to vote
1 reply
Comment options

I share your concern with that old version. But that is what enterprise linux distros do. That version got two updates this year to backport CVE fixes.

You were right: i completely missed OIDCSessionInactivityTimeout. Increasing that works like expected

But there is a catch with the persistent vs temporary cookie:
We have configrations with a ForgeRock IdP which do a very fast reauthentication when the session is expired. That was so fast that I did't see it also had this 5min timeout.
Now with Entra ID this became visible because those redirects are much slower and when it comes back to our Apache httpd we get a 400 Bad request error. The logs in LogLevel debug provided no hint what was wrong. Now changing this to a persistent session cookie made that cookie disappear when the session was expired and all the redirects to reauthenticate worked like expected. But that problem may have its roots in this old frankstein version. I did a test with version 2.4.17 from the openSUSE build service which did not have this problem.
Answer selected by mayrstefan
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet

AltStyle によって変換されたページ (->オリジナル) /