How to deal with Http Session Timeout when using SSO

问题

I have a Spring application ( let's call it A for Authentication) used as an authentication server. A is enabling SSO for two other applications ( B for Business and C for Client).

SSO authentication is done by redirection :

• a User goes to the B or C URL, he is redirected to the A login page for Authentication. Once logged in, he is redirected back to the B or C application.

The redirection is done using the redirectUrl parameter in the org.springframework.security.web.savedrequest.SavedRequest.

So, a user can come either be coming from B or C application, or logging in directly to his account on the A application.

My problem, is the following. Let's take the case of a user wants to connect to the B application, once he is redirected to the A application , he does not login. After a while a session timeout occurs, and the session is destroyed, so when he logs in, he is not redirected to the B application, but rather to his account on the A application.

Possible solutions:

• The obvious way, is to disable timeout on the HttpSession :

  <session-config> <session-timeout>-1</session-timeout> </session-config>

  This is not a very good idea as it is a security risk, and a threat to overload the authentication server.

• I added a HttpSessionDestroyedEvent ApplicationListener in order to detect a timeout and store the request of the session to be destroyed. The main idea was to redirect the user once he is connected after timeout. So on a successful connection, i check my request cache in the AuthenticationSuccessHandler to see if a request is stored and redirect the user.

  if (timeOutHandler.isTimeOut()) {
      redirectStrategy.sendRedirect(request, response, 
      timeOutHandler.getRequest().getRedirectUrl());
      timeOutHandler.clearSession();
      return;
   }
  

  The problem with this approach is that I have no previous knowledge of the user who caused the timeout and I could end up in a scenario like this:

  • A user come from B application, causes a timeout.
  • The request with redirect to B is stored.
  • Another user comes from C application causes also a timeout.
  • The request with redirect to B is overridden with the request to redirect to C.
  • The first user tries to connect, he will be redirect to the application C

So, what do you think will be the best approach, or do you have a better solution?

Thank you for your help.

回答1:

If it can helps, the solution i went with was to add a hidden field in the login form and store the redirect url, so it can be accessible from the back end even after the session timeout.

来源：https://stackoverflow.com/questions/44409713/how-to-deal-with-http-session-timeout-when-using-sso