Another Stale Request Post

Jason Rotunno jrotunno at
Fri Nov 11 16:39:01 UTC 2022

So we have a service provider that uses CAS to authenticate against our
Shib 4 instance. Apparently, it stopped working sometime over the summer
but the users only just now got around to reporting it to us:

   1. Users browse to the SP, click the login link, and are redirected to
   our IdP.
   2. They perform password authentication, are redirected to Duo, and
   authenticate via a push
   3. They're then redirected back to Shib. At this point the stale request
   error appears.

The logs show what I'm sure many of us have seen before:

2022-11-11 10:54:10,956 - ERROR
[net.shibboleth.idp.authn.ExternalAuthenticationException:91] -
[] -
net.shibboleth.idp.authn.ExternalAuthenticationException: Error retrieving
flow conversation
Caused by:
No flow execution could be found with key 'e2s2' -- perhaps this executing
flow has ended or expired? This could happen if your users are relying on
browser history (typically via the back button) that references ended flows.
Caused by:
org.springframework.webflow.conversation.NoSuchConversationException: No
conversation could be found with id '2' -- perhaps this conversation has

I turned up logging for spring and noticed this:

2022-11-11 11:02:22,342 - DEBUG
[org.springframework.web.servlet.DispatcherServlet:119] - [] - *GET
2022-11-11 11:02:22,342 - DEBUG
[org.springframework.webflow.mvc.servlet.FlowHandlerMapping:114] -
[] - *No flow mapping found for request with URI
2022-11-11 11:02:22,342 - DEBUG
- [] - Mapped to
2022-11-11 11:02:22,342 - DEBUG
- [] - Getting flow execution with key 'e5s3'
2022-11-11 11:02:22,342 - ERROR
[net.shibboleth.idp.authn.ExternalAuthenticationException:91] -
[] -
2022-11-11 11:02:22,342 - DEBUG
[org.springframework.web.servlet.DispatcherServlet:1349] - [] -
Using resolved error view: ModelAndView [view="error";
Error retrieving flow conversation,
request=org.apache.catalina.connector.RequestFacade at 1328262b, encoder=class, springContext=Root
WebApplicationContext, started on Wed Oct 26 14:18:57 EDT 2022,
response=org.apache.catalina.connector.ResponseFacade at 35a01e83}]
2022-11-11 11:02:22,342 - DEBUG
[org.springframework.web.servlet.DispatcherServlet:1131] - [] -
Completed 200 OK

This happens during every login attempt, in Firefox and Chrome, and on
Windows and Linux. I'm at a loss so I'm hoping someone can provide some



Jason Rotunno
System & Security Administrator
Swarthmore College
500 College Ave
Swarthmore, PA 19081

*VERIFY before you click!!*
  - Attackers make their emails look like they come from someone they don't.
  - Attackers make links look like they go to websites they don't.
  - Attackers disguise malware as receipts, invoices, faxes, etc.

Forward suspicious emails to phishing at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list