Aurélien Bompard
Aurélien Bompard
The [server code](https://github.com/fedora-infra/flask-mod-auth-gssapi/blob/stable/flask_mod_auth_gssapi/ext.py) checks the ticket lifetime of the credentials that mod_auth_gssapi makes available in `KRB5CCACHE` (in `/httpdir/run/ccaches`), find that they are expired by looking at their [lifetime attribute](https://github.com/fedora-infra/flask-mod-auth-gssapi/blob/fedc7ee132cfbeefd58fa564451acb170fd28219/flask_mod_auth_gssapi/ext.py#L48). If...
Hmm no I'm not sending a `Negotiate` header to the client when I do a 401. I "manually" do a 401 from the Python code when I see that the...
> alternatively you could return a Redirect error to the client where you also tell the client to invalidate the cookie. Oh good idea, I'll try that. > What is...
OK I did manage to workaround the issue by having the server return a 302 to the same address with the HTTP header that I had set in `SessionHeader` set...
> Perhaps I need to cross check the cache liftime with the lifetime claimed in the cookie. I expect there may be cases when the client can get confused and...
> The expiration is one of the data points in the encrypted part (MagBearerToken). Ah, that makes sense :-) If I understand correctly, the mod_session cookie is shared with other...
On the actual servers the ticket_lifetime is 24h for each, I've set it short on my testing env because I didn't want to wait a day to see if my...
I think you may be right, because I've seen the delegated credentials lifetime be shorter than 24h even right after they were obtained. This is what I currently have on...
> Ok, so I am surprise that the client would even get back a 401 in this scenario, as the delegate credentials are not something mod_auth_gssapi would check during authentication,...
> I have been thinking about this for a while, and I do not see a very clean solution Thanks for looking at it! > I think one way would...