User induced session stomping?

Roy, Nicholas S nicholas-roy at
Mon Aug 27 11:32:32 EDT 2012

We're seeing something very odd with our IdP version 2.3.8 deployment- if you open a browser and try to go to a specific service provider, SP-A, using SAML2 SSO, you get to our login page (using Username/Password login handler, not RemoteUser.)  If you leave the login page up and open another tab, and from there try to access a different service provider, SP-B, again using SAML2 SSO, you get taken to our login page again.  If you login to SP-B, you are successfully issued a SAML token.  If you then go back to SP-A and try to log in to the login page, you get an error message and the logs show this:

10:14:09.083 - WARN [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:147] - No login context available, unable to return to authentication engine

This seems like maybe it's a situation where session cookies getting stepped on- what do you think?  Is there a way to prevent this from happening?  We do have an F5 BigIP load balancer in the mix, but we see this behavior with cookie affinity enabled, so the front-channel sessions are stuck to the same node.

Has anyone else seen this?  Is this expected behavior?  Do you have any recommendations for ways to fix this or wording we should put on our login page to keep people from doing this?



-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list