"Replay detected of message" causes

[Cantor, Scott]

On 4/19/17, 6:34 PM, "users on behalf of Nate Klingenstein" <users-bounces at shibboleth.net on behalf of ndk at sudonym.me> wrote:

> There is no obvious pattern to when or how we're seeing these get
> replayed or played outside the initial expiration, but it has been
> generally observed with devices that are on constrained networks, and
> generally using applications with embedded web browsers.  These
> AuthnRequests are not signed nor trusted in any way, so I would like
> to error out less frequently if possible.  I'm hearing, that's
> impossible.

I can't imagine how you would even notice, the log should be full of them. I get them every minute of every day if I don't filter them. Maybe I don't know what you actually mean here, but there's nothing that would distinguish the ones you're talking about from anybody on campus behaving perfectly normally that I can think of.

> I'm not sure how squelching log warnings is more statistically
> meaningful than avoiding the check in the first place, though we don't
> collect that auditing data from the IdP anyway.

Skipping replay checks means a back button that actually replays a message will cause a new login that the user didn't intend to do. Counts like that usually matter to people. Avoiding the check distorts data people look at. Doing the check impacts nothing anybody looks at that I've ever heard, mainly because it should be happening non-stop.

> >When I said you could do it, I meant "under no circumstances should you do it".
>
> You'll forgive the misinterpretation, I hope.

I really assumed my initial sarcasm was implied, but I realized it wasn't.

-- Scott