Hi all,

Sometimes after I authenticate successfully to a service node, the
"Security Verified" screen pops up and then tries to redirect back the
the service, but then the service just redirects back to the "Security
Verified" page and it gets stuck in a loop where it will retry about
once a second.

Here is a trace of the http requests from my browser (i changed the
domains to be generic):

11:12:46.796    1.297   *       GET     (Aborted)       *       https://mywebapp.domain.com/
11:12:46.875    0.093   0       GET     200     text/html; charset=utf-8
https://mywebapp.domain.com/spep/sso?redirectURL=Lw==&ts=1211886659111
11:12:47.15     1.266   *       POST    (Aborted)       *       https://login.domain.com/sso
11:12:47.187    1.234   *       POST    (Aborted)       *       https://mywebapp.domain.com/spep/sso
11:12:48.93     1.235   *       GET     (Aborted)       *       https://mywebapp.domain.com/
11:12:48.156    0.078   0       GET     200     text/html; charset=utf-8
https://mywebapp.domain.com/spep/sso?redirectURL=Lw==&ts=1211886660401
11:12:48.281    1.234   *       POST    (Aborted)       *       https://login.domain.com/sso
11:12:48.421    1.219   *       POST    (Aborted)       *       https://mywebapp.domain.com/spep/sso
11:12:49.328    1.218   *       GET     (Aborted)       *       https://mywebapp.domain.com/
11:12:49.390    0.078   0       GET     200     text/html; charset=utf-8

 I am using apache spep 0.52 and esoe 0.7 .  When I look at the logs I
get this:

spep::AuthnProcessor - Successfully inserted authenticated session
(1399c1ce56f725286349d1898ac359c0415094dc-4741
4ba6da2a406adb6d5d9f60f-1211899185) into session cache.
2008-05-27 10:39:45 [AUTHN] spep::AuthnProcessor - Authenticated new
session. SPEP Session ID:
1399c1ce56f725286349d1898ac359c0415094dc-47418
ba6da2a406adb6d5d9f60f-1211899185
2008-05-27 10:39:45 [DEBUG] spep::AuthnProcessor - Couldn't verify
existing session:
1399c1ce56f725286349d1898ac359c0415094dc-47418aea3852829
adb6d5d9f60f-1211899185. Failing.
2008-05-27 10:39:45 [DEBUG] spep::AuthnProcessor - Going to create a
new AuthnRequest
2008-05-27 10:39:45 [DEBUG] spep::AuthnProcessor - Created
unauthenticated session for new AuthnRequest. SAML ID:
_2788f2d2ccbb07a39851b057f2 4-b0960630d12b506ff05bce69e4a170f1

I am concerned that it might be the " Couldn't verify existing
session: " that is creating the problem, because then it just
immediately tries to create a new session.

Also: sometimes it will eventually redirect back to the application
after a few iterations of the redirects. Other times it will never
work and stay in the loop indefinitely (but if i interrupt the loop by
typing in "https://mywebapp.domain.com", everything works as it should
and I am successfully authenticated and all my attributes are passed
through to mywebapp.)

any ideas?

Thanks!
Jim

Hi Jim,

I am concerned that it might be the " Couldn't verify existing

I agree with this idea. However this isn't something that I have seen
before, and I'm having trouble reproducing it locally.

Also: sometimes it will eventually redirect back to the application

Based on this, I have a theory about what could be happening, which is that
you are getting sent back to the authenticated content before the session is
properly inserted in the session cache. I have developed a patch which will
ensure that this can not happen. Hopefully this will fix your problem.

I have attached the patch. You should apply it to the top level of the
spep-0.5.2 source tree before rebuilding, by typing:

patch -p0 < patch-blocking-session-inserts.diff

Let me know how you go with this. Hope it helps!

Thanks,
Shaun

patch-blocking-session-inserts.diff 2K Download

Shaun,
Once again, thank you so much that fixed the problem!  Everything is
working perfectly!  I am really impressed with ESOE and the extremely
helpful and quick responses on this list.

thanks again,
Jim

On May 27, 9:10 pm, "Shaun Mangelsdorf" <s.mangelsd...@gmail.com>
wrote: