Why remove ticket session when activeSessionTicket?

anjingjing · November 6, 2018, 2:22pm

Hi,

I’m using SSO of CUBA. There is a situation I need to use ticket twice, but I found that every time ticket is used, it can’t be used again. Trace the code i found that when active ticket, it removes the ticket from the cache, in IdpSessionStorageBean.java, it calls sessionTickets.remove :

    @Override
    public IdpSession activateSessionTicket(String serviceProviderTicket) {
        IdpSession idpSession;

        IdpSessionTicketRecord ticketRecord;

        lock.writeLock().lock();
        try {
            ticketRecord = sessionTickets.remove(serviceProviderTicket);
            if (ticketRecord == null) {
                return null;
            }

            String sessionId = ticketRecord.getSessionId();
            IdpSessionRecord sessionInfo = sessions.get(sessionId);
            idpSession = sessionInfo != null ? sessionInfo.getSession() : null;
        } finally {
            lock.writeLock().unlock();
        }

        if (idpSession != null) {
            ticketRecord.setActive(false);

            clusterManager.sendSync(ticketRecord);
        }

        return idpSession;
    }

Could you share the idea here, why a active operation will remove the ticket?

Thank you!

artamonov · November 6, 2018, 2:34pm

Hi,

Single serviceProviderTicket is issued only for authentication and can be used only once by security reasons. You can use session ID instead after you have obtained it for the first time.

There is a situation I need to use ticket twice

Whey do you need this?

anjingjing · November 7, 2018, 2:32am

Hi,
My secenario is that below:
I have a mobile client and a H5 client which are all outside of cuba system, after user login from mobile client or H5 client, user needs to do some tasks, these tasks will trigger opening cuba screenlinks(could be from different SP which using IDP login) .

So while each time the client open screenlink, client needs to pass ticket to screenlinks, so this ticket needs to be active always after user login from client.

Currently, after obtain the ticket, it works while first use it, but while user trigger another task, it pops up login window which is not friendly to user.

If I obtain ticket each time before open a screenlink, then the others pages open by user in same browser window will be refreshed, unsaved user data may lost.

artamonov · November 7, 2018, 6:39am

In IDP flow each service provider must redirect user to IDP in order to obtain serviceProviderTicket and then create a session on the SP side. You cannot and should not reuse tickets.

anjingjing · November 7, 2018, 9:12am

Hi Yuriy,

Thank you for your quick response!
If in any case i can’t reuse serviceProviderTicket, could you please check my solution as below works?

each client(browser/webview) login to IDP, so in IDP it should store ticket for each.
after one client, e.g. Chrome user, use ticket to login(idp will return the idpSession), then set cookie with idp session and in response. Also save ticket id in cookie.
if the same Chrome client uses the ticket again, i will use doFilter intercepter to check if the ticket already used, if yes, remove idp_ticket param from request URL, it should use current login.
Or do you have other suggestion?

artamonov · November 9, 2018, 6:34am

Hi,

It could work, but I do not understand your use case.

It seems that you are trying to use IDP as secret links for mobile applications for transparent. If yes then you should definitely implement your own servlet / MVC controller that will manage this.

As for WebView, I’m not sure that IDP is useful if you need to login again from WebView and each browser. It is meant to be used in standard situations when you are opening multiple systems from a single web browser and then you are logged in everywhere after login to IDP.