The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

BlockStaleRequests

As of the 1.3.1 release, the IdP software can utilize the optional time parameter in an AuthnRequest to detect a request that was issued in the past. The main reason for enabling this check is to allow users to "back up" over the login process and return to earlier pages in their history. Typically, the use of the BrowserPOST profile results in users being "trapped" in the application and the back button just bounces the browser back into the application with a new session, increasing the load on the IdP and SP in the process.

It has the disadvantage of blocking some bookmarks created after a login, because many browsers incorrectly update the location bar at times. Links or bookmarks containing the time parameter will typically fail to work properly. Links intended to initiate SSO from an IdP should omit the time parameter to prevent this behavior.

Configuration

To enable the feature, simply add an attribute to the <IdPConfig> element in the IdPXml file:

<IdPConfig ... blockStaleRequests="true" ...>

When a stale request is detected, a special error template called IdpStale.jsp is used to report the problem, allowing you to customize the message users will see.

Implementation

The implementation of this feature uses cookies to track the last request seen from each SP. A cookie is created for each SP by hashing its providerId to generate the name, and storing the last timestamp seen from it. This makes it possible to accurately detect old requests without requring any clock synchronization between servers. Even if no cookie exists, a timestamp older than 30 minutes is treated as stale no matter what.