Cookie not invalidated after reaching the session-timeout
Description of problem:
We have ocserv servers configured with a 12h user session timeout (persistent-cookie
is not set).
We noticed that users using AnyConnect reconnect automatically after reaching the 12h session timeout without being asked to authenticate. According to the documentation on session-timeout
, the cookie is supposed to be invalidated:
# The time (in seconds) that a client is allowed to stay connected
# Unset to disable. When set a client will be disconnected after being
# continuously connected for this amount of time, and its cookies will
# be invalidated (i.e., re-authentication will be required).
#session-timeout = 86400
Here are the logs from our ocserv instance showing this behavior:
Aug 29 07:12:03 vpn-server ocserv[1530504]: worker[j.doe]: 82.x.x.x session timeout reached for process (43230 secs)
Aug 29 07:12:03 vpn-server ocserv[5255]: sec-mod: session stats but with non-existing SID
Aug 29 07:12:03 vpn-server ocserv[5273]: sec-mod: temporarily closing session for j.doe (session: NfCFfY)
Aug 29 07:12:03 vpn-server ocserv[1669871]: level="info" msg="user disconnected" ip_addr="82.x.x.x" username="j.doe" vpn_addr_ipv4="10.x.x.x" vpn_addr_ipv6=""
Aug 29 07:12:03 vpn-server ocserv[1669879]: note: skipping 'pid-file' config option
Aug 29 07:12:03 vpn-server ocserv[1669879]: note: vhost:default: setting 'pam' as primary authentication method
Aug 29 07:12:03 vpn-server ocserv[1669879]: note: the cisco-client-compat option implies dtls-legacy = true; enabling
Aug 29 07:12:03 vpn-server ocserv[1669879]: note: setting 'file' as supplemental config option
Aug 29 07:12:03 vpn-server ocserv[5273]: sec-mod: initiating session for user 'j.doe' (session: NfCFfY)
Aug 29 07:12:03 vpn-server ocserv[1669888]: level="info" msg="user connected" ip_addr="82.x.x.x" username="j.doe" vpn_addr_ipv4="10.x.x.x" vpn_addr_ipv6=""
We can see in the logs above that a user reaches its session timeout, gets disconnected but automatically reconnects without going through the primary authentication (PAM in our case).
occtl
also shows that this user is connected on the same session since 4 days:
$ occtl --json show sessions valid
{
"Session": "NfCFfY",
"Full session": "NfCFfYz+I1SpfdvW1QoLbF17ma4=",
"Created": "2023-08-25 07:09",
"State": "authenticated",
"Username": "j.doe",
"Groupname": "Domain Users",
"vhost": "default",
"User-Agent": "AnyConnect Windows 4.10.01075",
"Remote IP": "82.x.x.x",
"Location": "unknown",
"session_is_open": 1,
"tls_auth_ok": 0,
"in_use": 1,
},
Unless there is another configuration parameter we omitted to set, I suspect this is a bug with cookies not being correctly invalidated.
Version of ocserv used:
v1.2.0
Client used:
AnyConnect Windows 4.10.01075
Distributor of ocserv
CentOS 8 + self-compiled
How reproducible:
Describe the steps to reproduce the issue:
- Configure an ocserv instance with a session-timeout and persistent-cookie disabled
- Connect to the server with AnyConnect client and waits for the session-timeout
Actual results:
Once session-timeout is reached, the client automatically reconnects without going through the primary authentication, meaning that the user can stay connected indefinitely.
Expected results:
Once session-timeout is reached, client's cookie is invalidated, and client is asked to re-authenticate through the usual authentication method.