add auth_expiration (AnyConnect, GP, Pulse) and openconnect_get_auth_expiration() API function
-
Add
openconnect_get_auth_expiration
function to library and JNIThis allows protocols to save the moment when a session's authentication (
vpninfo->cookie
) is expected to expire and no longer be useful for reconnection.The motivation is to eventually allow front-ends to know whether reauthentication is needed, or whether they should try using a cached cookie.
Current state:
- AnyConnect protocol: expiration is determined from the CONNECT
response header
X-CSTP-Session-Timeout-Remaining
, which decreases on subsequent reconnects (withX-CSTP-Session-Timeout
as the starting value at the moment of authentication completion, to be used as an upper bound in its absence, withX-CSTP-Lease-Duration
as a fallback in the absence of those fields). - GlobalProtect protocol: expiration is determined from the
<lifetime>
tag of the XML config, which decreases on subsequent reconnects. - Juniper Network Connect protocol: no currently known way to determine
expiration. The
DSID
cookie is a standard HTTP cookie, so perhaps its expiration timestamp is intended for this purpose; however, I can find no real-world case where it has a timestamp set viaexpires
ormax-age
. - None of the currently-supported protocols provide the expiration
timestamp until the connection phase, so it can't be obtained for
export by the
--authenticate
option.
- AnyConnect protocol: expiration is determined from the CONNECT
response header
-
implement
auth_expiration
for Pulse protocolWe have many examples of this field (AVP 0x583/0xd5c) being multiples of 60 or 3600, strongly suggesting that it's the remaining auth lifetime (or maybe the total auth lifetime, at least a working upper bound):
-
#98 (closed):
AVP 0x583/0xd5c: 00 01 fa 40
(0x1fa40 seconds = 36 hours) - private communication:
AVP 0x583/0xd5c: 00 00 a9 ec
(0xa9ec seconds = 12 hours) - private communication:
AVP 0x583/0xd5c: 00 00 0a 70
(0xa70 seconds = 44 minutes)
-
#98 (closed):
Edited by Daniel Lenski