Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Impossible to login after session timeout #1601

Closed
rickhoutman opened this issue Apr 23, 2024 · 2 comments
Closed

Impossible to login after session timeout #1601

rickhoutman opened this issue Apr 23, 2024 · 2 comments
Assignees
@jgrandja
Labels
status: invalid An issue that we don't feel is valid

Comments

@rickhoutman
Copy link

Describe the bug
When I am on the login page without doing anything for more then 30 minutes (the default session timeout) and then try to login it is impossible to login, because the authorization server doesn't know my client id, redirect uri, etc.anymore, because my session timed out.

To Reproduce

Expected behavior
I expect to be able to login after staying idle for a while on the login page.
@rickhoutman rickhoutman added the type: bug A general bug label Apr 23, 2024
@jgrandja
Copy link
Collaborator

@rickhoutman Spring Security uses a RequestCache to save requests before commencing the authentication process. After a successful authentication, it will use the SavedRequest from the RequestCache to re-trigger the request. In this scenario, the OpenID Connect authentication request is re-triggered to proceed with the OIDC flow. However, since the default RequestCache is HttpSessionRequestCache, the SavedRequest is removed from the session on a session timeout and the OIDC flow cannot continue.

If you would like to configure the default HttpSessionRequestCache, you can customize it via HttpSecurity.requestCache().

Having said that, I don't think this is a valid use case:

I expect to be able to login after staying idle for a while on the login page.

Depending what you mean by a while... if it's staying idle for 30 mins, then I believe this is an edge case as most users will not sit at the login page for 30 mins and then attempt to login after that.

I'm going to close this but if you need to fulfll this requirement then you can provide your own HttpSecurity.requestCache() that will not expire the SavedRequest after a session timeout.

@jgrandja jgrandja self-assigned this Apr 26, 2024
@jgrandja jgrandja added status: invalid An issue that we don't feel is valid and removed type: bug A general bug labels Apr 26, 2024
@rickhoutman
Copy link
Author

@jgrandja Thank you for your comment and pointing me in the right direction. I agree it is a little bit of an edge case, but I still decided to solve this problem by using the CookieRequestCache in combination with the CookieCsrfTokenRepository.

In the default security filter chain added:
http.csrf(csrf -> csrf.csrfTokenRepository(new CookieCsrfTokenRepository()))

And added bean:
@Bean public RequestCache requestCache() { return new CookieRequestCache(); }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jgrandja @rickhoutman