Abandon cookie as session storage for v2.0.0

[peppelinux]

Due to the latest cookie restrictions made by modern web browser, eg: samesite cookie, I'm wondering if it were time to rewrite entirely the session backend used to store SAML2 requests.

Here we have how djangosaml2 handles the persistence, in saml_session cookie: https://github.com/IdentityPython/djangosaml2/blob/57ad2ba38f93eebc579e0e6fb523d245dfd96085/djangosaml2/cache.py#L71

I'd abadon cookie storage and move to a DB storage (RDBMS or NoSQL). The SAML2 requests alwasy come with an ID and this will be involved in lookup. This will also introduce a stronger replay attack prevention strategy, based on parsing and matching the SAML2 request on all those already stored, nothing else.

In each stored saml2 request there will be a link to user that have been authenticated with it and also the SAML2 response as evidence of that. They would have an expiration time equal to the corrisponding SAML2 NotOnOrAfter condition and it would be periodically purged (scheduled or NoSQL strategy like Redis TTL).

see also https://github.com/WICG/WebID/blob/main/cookies.md

[rvanlaar]

Hey, We're experiencing problems due to the cache being tied to cookies. I.e. sometimes the session cookie goes AWOL between us setting them and the user coming back with the credentials.

What kind of help do you want?

[peppelinux]

in which conditions the AWOL occurs?

[rvanlaar]

in which conditions the AWOL occurs?

We haven't seen a common cause. It happens on all browsers on all platforms except of course the ones we test with.

Regarding help: This ticket has the label 'help wanted'. What kind of help do you want?

[peppelinux]

Do you have configured the samesite cookie? Which hostname do you use for tests (that work)?

Help wanted -> tests and answers are needed

[rvanlaar]

set-cookie: saml_session=LONGSTRING; HttpOnly; Path=/; SameSite=None; Secure

A lot of people are able to login. It's only some whom get the error 'UnsolicitedResponse'.

edit removed '<' '>' around LONGSTRING to get it to show.

[peppelinux]

it's something up to the users' user-agent

please ask to them the user-agent and its version

[rvanlaar]

Could you elaborate? Are you saying it's the user-agent? Or that it's due to the browser used?

[peppelinux]

user-agent, I mean the web browser used by users

[rvanlaar]

Most errors come from:

Chrome 105 - 107 Mobile safari: 15.6.1 & 16.0 Safari 15.6.1 Edge 106

Split evenly between windows, iOS and Mac.

[peppelinux]

Doesn't its request have the saml2 cookie?

[rvanlaar]

Which request and which cookie exactly?

[peppelinux]

Saml2 Response issued by idp triggers a post http request submitted by user's web browser to your sp

In this request you should see the cookie your SP created previously, this links the Response to the request to the useragent, in your sp

[rvanlaar]

Logging shows the OutstandingQueriesCache is empty for users that encounter this problem. If those users submit the cookie on post, that I don't know.

[dino8890]

in which conditions the AWOL occurs?

Hi, I can confirm we have the same issue with cookie going AWOL. Not sure of the cause either.

[peppelinux]

The naive way to resolve this issue is enabling the unsolicited response in the SP but this lowers the security

If I were you I would investigate way the SP SAML SESSION cookie is not returned back to the SP when the HTTP POST happens from the IDP side to provide the Saml Response back to the SP