[Openid-specs-mobile-profile] How to invalidate cookie sessions in RP

GONZALO FERNANDEZ RODRIGUEZ gonzalo.fernandezrodriguez at telefonica.com
Mon Mar 28 20:32:30 UTC 2016


Hi John,

First of all thank you for your quick response.

I agree that having persistent session cookies is not a good practice. However there are some Service Providers that can’t decide how many time set for expiration cookies and they suggest somehow to be warned in case the user is unsubscribed. We would have a similar problem if the cookie expires after the id_token, however this case can be managed setting the id_token in the cookie.

You said that “Most SP don’t retain enough of the session in the server to be able to correlate and kill a front channel session based on a out of band signal”, are you talking about legacy code that sets “something” in the session cookie? If I understand well this could also be avoided setting the id_token in the cookie right?

BTW, is public the spec you are working on for the back channel?

Best Regards and thank you again,
Gonza.

De: John Bradley <ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com>>
Fecha: lunes, 28 de marzo de 2016, 20:33
Para: Gonzalo Fernandez Rodriguez <gonzalo.fernandezrodriguez at telefonica.com<mailto:gonzalo.fernandezrodriguez at telefonica.com>>
CC: "openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>" <openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>>
Asunto: Re: [Openid-specs-mobile-profile] How to invalidate cookie sessions in RP

There specs for logout in the front channel using redirects, and one I am working on for the back channel.

It is probably a bad practice to have session cookies that don’t expire.  We have seen requests for logout, but not a account deprovisioning other than through SCIM or something like that.

I would ask why a user being unsubscribed to mobile connect is a problem for the SP as long as the session is good.   Is this different from logout?
I can potentially see backchannel logout being required if the user doesn’t have an active browser session.

I think what you will find on the web is that most SP don’t retain enough of the session in the server to be able to correlate and kill a front channel session based on a out of band signal.

So while SP do ask for back channel logout, most of them decide that they can’t do it based on how the site is designed around cookies.

I think the closest thing is backchannel logout, but most RP/SP won’t do it.

It is exactly the same problem in SAML and almost no one uses the SAML SLO spec for that reason.

John B.

On Mar 28, 2016, at 2:37 PM, GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez at telefonica.com<mailto:gonzalo.fernandezrodriguez at telefonica.com>> wrote:

Hi guys,

I would like to know your opinion as experts in OIDC about how to invalidate the session cookies in the RP in case of a user abandons Mobile Connect. I mean, I am thinking in the next problem:


  1.  A Relaying Party “RP1” using Mobile Connect authenticates the user “user1” using Mobile Connect in an MNO.
  2.  The relaying party sets a cookie, likely with the id_token (to be able to check the expiration) for a long time.
  3.  The user “user1” is unsuscribed in Mobile Connect, however he can still be authenticated in the RP1 relaying party because the cookie is still valid.

The question is if there is some standard way to proceed to communicate the RP1 that the user “user1” is no longer is Mobile Connect subscriber, and allow the RP to invalidate the cookie.

Best,
Gonza.

________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
_______________________________________________
Openid-specs-mobile-profile mailing list
Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile


________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160328/21776377/attachment.html>


More information about the Openid-specs-mobile-profile mailing list