JSESSIONID issues, Stale Session. (SameSite issue?)

Duncan Brannen dbb at st-andrews.ac.uk
Thu Jan 20 16:39:29 UTC 2022 

Hi All,
                Appreciate this probably isn't a shibboleth issue but I've seen this come up now and again so hopefully someone can throw a little light on our problem.

Occasionally, and it seems to affect some users far more than others we have people report Stale Session errors.  I've seen reports for Edge, Chrome, Firefox, Safari, Windows, MacOS.  On Windows and Chrome I 'generally' do not see this issue, maybe once a week at most.  I need to try and force it to happen by repeatedly switching between resources and logins, waiting for hours and going back to a session but still cannot reliably replicate.

Going back to the login link again seems to work and after logging the JESSIONID value in the logs, I can trace the users path through haPRoxy -> Apache (mod proxy) -> Tomcat where Shib runs with the cookie matching.  Either, the browser ends up with a second JSESSIONID cookie that it sends or it vanishes from the Request headers.

I've managed to get a capture from Chrome using the dev tools for the situation where the cookie vanishes and it seems Chrome is filtering it with an error about sameSite defaulting to Lax because it wasn't explicitly set.  The referrer in this case is MS (Azure AD as we use proxy Auth) Until this time the cookie was successfully being used for multiple authentications.  The shib_idp_session cookie is unaffected.

Is this the same site issue described at https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1284276231/SameSite  and browsers decide to implement blocking the cookie randomly/ on some condition I'm not spotting?

If not has anyone seen anything similar and can point me in the direction of where to look next?

We were late moving to 4 and this seems to have arrived with that but we've also added Azure(proxy) auth and Cas support at the same time.

(htmlStoragesession = true, idp.session.StorageService = shibboleth.StorageService)

Thanks,
              Duncan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220120/d66f8716/attachment.htm>

More information about the users mailing list