Entra ID: 5 min session expiration #1347
-
|
We followed https://github.com/OpenIDC/mod_auth_openidc/wiki/Microsoft-Entra-ID--(Azure-AD) and configured to session type as This works but the session cookie expires after 5 minutes and we are redirected to the Microsoft Login. Is there some configuration that needs to be changed on the Entra ID side or can this be fixed within mod_auth_openidc configs? We use version 2.3.8 as part of SLES15. If this is a known issue that was fixed in a later version I can open a ticket with SUSE to upgrade the package to a version that fixes that. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
firstly, 2.3.8 is 7 years old, you must not use security software in production that has not been updated since 2018 then, one should not use a persistent session cookie as it survives restarts and doesn't allow the user to logout by killing the browser, which is a security risk as well lastly, you are most likely running into a session inactivity timeout, as the default setting is 5 mins, see: |
Beta Was this translation helpful? Give feedback.
-
|
I share your concern with that old version. But that is what enterprise linux distros do. That version got two updates this year to backport CVE fixes. You were right: i completely missed OIDCSessionInactivityTimeout. Increasing that works like expected But there is a catch with the persistent vs temporary cookie: |
Beta Was this translation helpful? Give feedback.
firstly, 2.3.8 is 7 years old, you must not use security software in production that has not been updated since 2018
then, one should not use a persistent session cookie as it survives restarts and doesn't allow the user to logout by killing the browser, which is a security risk as well
lastly, you are most likely running into a session inactivity timeout, as the default setting is 5 mins, see:
https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.18/auth_openidc.conf#L632-L634