Re: [Dev] [IS] No Established session issue at the session timeout
Hi all, I have taken over looking into this issue https://wso2.org/jira/browse/STORE-875 in ES pack. As of now we have decided to increase this session-timeout duration to a higher value. We can achieve that by setting SessionIdleTimeout(default 15 min) to a higher value in identity.xml. But we cannot override this value coming from IS-components, since SessionIdleTimeout is not parameterized. As a workaround, we are going to maintain a local copy of identity.xml in ES repository with this particular value increased. Can we get SessionIdleTimeout entry parameterized from IS side, so that we can override it at build time? Or any other better way to do this? [1] https://wso2.org/jira/browse/STORE-875 Thanks! -Ayesha On Thu, Jul 16, 2015 at 5:31 PM, Johann Nallathamby joh...@wso2.com wrote: Hi Manu, Sorry couldn't give a timely update in the thread. We discussed this internally with the presence of Tanya from UES as well. We concluded that this is not a blocker or not very easily reproducible by a single user at a browser without help of automating the interactions. This could only happen if there is a huge network delay. Implementing this stuff will take a considerable time. None of our users have faced any issue so far. We will consider this for a future release. Also Thanuja is currently developing some thing for IS 5.1.0 where if something like this occurs, the user won't land in an error page but instead land in a logged out page of the Identity Server. Thanks. On Thu, Jul 16, 2015 at 11:54 AM, Manuranga Perera m...@wso2.com wrote: Hi IS team, How is the progress on this issue? We need this fix soon for the RC1 release. On Mon, Jun 15, 2015 at 7:02 PM, Ruchira Wageesha ruch...@wso2.com wrote: We have following concern with the above suggested approach. Say we make the call1 and then receive the response 1 as the session still exists. But between the time that we make the call2, session gets expired. (since these are network calls and delays may occur.) So at that point we face the same original problem again. Isn't the proper approach is to send a logout response from the identity side with a proper message (no session exists) to the application side rather than breaking the flow in the middle? @IS Team, Can you please share your thoughts on this and any fixes if needed please :). Senior Software Engineer, WSO2 Inc. : wso2.com Mobile : +94718184439 Blog : http://tanyamadurapperuma.blogspot.com -- *Ruchira Wageesha**Technical Lead* *WSO2 Inc. - lean . enterprise . middleware | wso2.com http://wso2.com* *email: ruch...@wso2.com ruch...@wso2.com, blog: ruchirawageesha.blogspot.com http://ruchirawageesha.blogspot.com, mobile: +94 77 5493444 %2B94%2077%205493444* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- With regards, *Manu*ranga Perera. phone : 071 7 70 20 50 mail : m...@wso2.com -- Thanks Regards, *Johann Dilantha Nallathamby* Technical Lead Product Lead of WSO2 Identity Server Integration Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+9476950* Blog - *http://nallaa.wordpress.com http://nallaa.wordpress.com* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- *Ayesha Dissanayaka* Software Engineer, WSO2, Inc : http://wso2.com http://www.google.com/url?q=http%3A%2F%2Fwso2.comsa=Dsntz=1usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg 20, Palmgrove Avenue, Colombo 3 E-Mail: aye...@wso2.com ayshsa...@gmail.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] No Established session issue at the session timeout
Hi IS team, How is the progress on this issue? We need this fix soon for the RC1 release. On Mon, Jun 15, 2015 at 7:02 PM, Ruchira Wageesha ruch...@wso2.com wrote: We have following concern with the above suggested approach. Say we make the call1 and then receive the response 1 as the session still exists. But between the time that we make the call2, session gets expired. (since these are network calls and delays may occur.) So at that point we face the same original problem again. Isn't the proper approach is to send a logout response from the identity side with a proper message (no session exists) to the application side rather than breaking the flow in the middle? @IS Team, Can you please share your thoughts on this and any fixes if needed please :). Senior Software Engineer, WSO2 Inc. : wso2.com Mobile : +94718184439 Blog : http://tanyamadurapperuma.blogspot.com -- *Ruchira Wageesha**Technical Lead* *WSO2 Inc. - lean . enterprise . middleware | wso2.com http://wso2.com* *email: ruch...@wso2.com ruch...@wso2.com, blog: ruchirawageesha.blogspot.com http://ruchirawageesha.blogspot.com, mobile: +94 77 5493444 %2B94%2077%205493444* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- With regards, *Manu*ranga Perera. phone : 071 7 70 20 50 mail : m...@wso2.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] No Established session issue at the session timeout
Hi Manu, Sorry couldn't give a timely update in the thread. We discussed this internally with the presence of Tanya from UES as well. We concluded that this is not a blocker or not very easily reproducible by a single user at a browser without help of automating the interactions. This could only happen if there is a huge network delay. Implementing this stuff will take a considerable time. None of our users have faced any issue so far. We will consider this for a future release. Also Thanuja is currently developing some thing for IS 5.1.0 where if something like this occurs, the user won't land in an error page but instead land in a logged out page of the Identity Server. Thanks. On Thu, Jul 16, 2015 at 11:54 AM, Manuranga Perera m...@wso2.com wrote: Hi IS team, How is the progress on this issue? We need this fix soon for the RC1 release. On Mon, Jun 15, 2015 at 7:02 PM, Ruchira Wageesha ruch...@wso2.com wrote: We have following concern with the above suggested approach. Say we make the call1 and then receive the response 1 as the session still exists. But between the time that we make the call2, session gets expired. (since these are network calls and delays may occur.) So at that point we face the same original problem again. Isn't the proper approach is to send a logout response from the identity side with a proper message (no session exists) to the application side rather than breaking the flow in the middle? @IS Team, Can you please share your thoughts on this and any fixes if needed please :). Senior Software Engineer, WSO2 Inc. : wso2.com Mobile : +94718184439 Blog : http://tanyamadurapperuma.blogspot.com -- *Ruchira Wageesha**Technical Lead* *WSO2 Inc. - lean . enterprise . middleware | wso2.com http://wso2.com* *email: ruch...@wso2.com ruch...@wso2.com, blog: ruchirawageesha.blogspot.com http://ruchirawageesha.blogspot.com, mobile: +94 77 5493444 %2B94%2077%205493444* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- With regards, *Manu*ranga Perera. phone : 071 7 70 20 50 mail : m...@wso2.com -- Thanks Regards, *Johann Dilantha Nallathamby* Technical Lead Product Lead of WSO2 Identity Server Integration Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+9476950* Blog - *http://nallaa.wordpress.com http://nallaa.wordpress.com* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] No Established session issue at the session timeout
We have following concern with the above suggested approach. Say we make the call1 and then receive the response 1 as the session still exists. But between the time that we make the call2, session gets expired. (since these are network calls and delays may occur.) So at that point we face the same original problem again. Isn't the proper approach is to send a logout response from the identity side with a proper message (no session exists) to the application side rather than breaking the flow in the middle? @IS Team, Can you please share your thoughts on this and any fixes if needed please :). Senior Software Engineer, WSO2 Inc. : wso2.com Mobile : +94718184439 Blog : http://tanyamadurapperuma.blogspot.com -- *Ruchira Wageesha**Technical Lead* *WSO2 Inc. - lean . enterprise . middleware | wso2.com http://wso2.com* *email: ruch...@wso2.com ruch...@wso2.com, blog: ruchirawageesha.blogspot.com http://ruchirawageesha.blogspot.com, mobile: +94 77 5493444* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS] No Established session issue at the session timeout
Hi IS team, As informed offline we have faced [1] in ES. We understand that once we move to Identity core 4.5.1, cache expiration period can be configured in HOME/repository/conf/tomcat/carbon/WEB-INF/web.xml. Even after the set cache expiration time or a session timeout (already set the cache expiration time to a higher value than the session timeout), we face the 405 issue where the logout flow breaks at the identity side (in the browser with the message *No Established Sessions corresponding to Session Indexes provided*) providing no clue to the application side. Hence the following approach was suggested for us to identify the existence of a valid session. We have following concern with the above suggested approach. Say we make the call1 and then receive the response 1 as the session still exists. But between the time that we make the call2, session gets expired. (since these are network calls and delays may occur.) So at that point we face the same original problem again. Isn't the proper approach is to send a logout response from the identity side with a proper message (no session exists) to the application side rather than breaking the flow in the middle? Are there any security vulnerabilities of sending a logout response to a non existence session? (assuming that a third party who never had a session at the IDP can still make a logout request) Appreciate your input. [1] https://wso2.org/jira/browse/STORE-721 Thanks, Tanya -- Tanya Madurapperuma Senior Software Engineer, WSO2 Inc. : wso2.com Mobile : +94718184439 Blog : http://tanyamadurapperuma.blogspot.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
