Mod_shib sessions created for every request in a reverse proxy config

Cantor, Scott cantor.2 at
Tue May 17 10:10:01 EDT 2016

On 5/16/16, 6:30 PM, "users on behalf of Florin Stingaciu" <users-bounces at on behalf of florin.stingaciu at> wrote:

>Basically, any request I make to server/app will auth against the IDP and create a new session every single time.

You would have to trace the activity, follow the cookie trail, and assuming the cookie is resent as expected for the resource, you're going to have to look at the logs to identify why it's not honoring the session as valid. I can't tell you why, you have the logs. If you're not looking at native.log as well, then that's probably where the error regarding the session might be.

>It is also worth to note that my app does a bunch of redirects to itself and generates a bunch of css on the fly. Thus causing a lot of things to not load properly.

That's probably because it's creating multiple requests to the IdP at the same time, which won't ever work. Only the full frame request is going to result in a real login.

-- Scott

More information about the users mailing list