(error code: 0x80090308) on session timeouts w/ multiple requests

[anotherCoward]

This is related to #91 and if the proxy is not set to keep alive, multiple requests in a short duration will all fail to authenticate with the message Error: AcceptSecurityContext: SECURITY_STATUS incorrect (<0): (error code: 0x80090308) [invalid token message] because a server context handle could not be found.

If I request now multiple files (after the timeout of the session) using something like:

for (let i = 0; i < 10;i++) { 
  fetch(`/uri?file=${i}`).then(whatever);
}

all requests will fail. But if i request one first and then the rest (during the session period) everything is fine.

From what I can tell the handle get's added and removed all over again using the configuration values mentioned in #91. I suggest changing the handle name/detection to something different instead of a handle based on the client IP, if possible. There are enough values in the header block that could help creating a more unique handle to search for.

On the other side, if useSession is enabled you could store the serverContextHandle tempoarily inside the session instead of the ServerContextHandleManager.

I have also implemented locally a small addition inside the catch block at auth.js for two of the error codes related to SECURITY_STATUS in cases where the session timed out it triggers 0x80090308 or 0x80090310. If so i just ask the client to auth again using a forward request with Status 308. So fetch() or XMLHttpRequest() create a new session again without any problem. (But only one request for a given IP at a time... :/)

  if (opts.useSession && (e.message.includes("(error code: 0x80090310)") || e.message.includes("(error code: 0x80090308)"))) {
    schManager.release(req);
    delete req.session.sso;
    debug("requesting auth again");
    res.status(308);
    res.set('Location', req.url);
    res.end();
  } else { /* default */ }

But I'm not sure if this fits for everyone. Header Status 308 tells the client also to resend forward form data and so on.

[anotherCoward]

Today i tried it by adding the Forwarded header in the nginx config using: proxy_set_header Forwarded "for=\"$remote_addr:$remote_port\"";

Using this it seems to work fine on multiple requests at once after the session timed out.

Just dumps of schManager.cache on set/release/get:

Before "Forwarded":

set Map(0) {}
release Map(1) {
  '10.81.234.6_close' => {
    handle: '****',
    timestamp: 1636655728379
  }
}
release Map(0) {}
get Map(0) {}
Error: AcceptSecurityContext: SECURITY_STATUS incorrect (<0): (error code: 0x80090308)
release Map(0) {}
set Map(0) {}
Map(1) {
  '10.81.234.6_close' => {
    handle: '****',
    timestamp: 1636655868881
  }
}
[...] 

After:

release Map(0) {}
get Map(0) {}
set Map(1) {
  'for="10.81.234.7:65462"' => {
    handle: '****',
    timestamp: 1636701143570
  }
}
get Map(1) {
  'for="10.81.234.7:65462"' => {
    handle: '****',
    timestamp: 1636701143570
  }
}
release Map(1) {
  'for="10.81.234.7:65462"' => {
    handle: '****',
    timestamp: 1636701143570
  }
}
get Map(1) {
  'for="10.81.234.7:65462"' => {
    handle: '****',
    timestamp: 1636701143570
  }
}
set Map(2) {
  'for="10.81.234.7:65462"' => {
    handle: '****',
    timestamp: 1636701143570
  },
  'for="10.81.234.7:65464"' => {
    handle: '****',
    timestamp: 1636701143666
  }
}
release Map(2) {
  'for="10.81.234.7:65462"' => {
    handle: '****',
    timestamp: 1636701143570
  },
  'for="10.81.234.7:65464"' => {
    handle: '****',
    timestamp: 1636701143666
  }
}
get Map(2) {
  'for="10.81.234.7:65462"' => {
    handle: '****',
    timestamp: 1636701143570
  },
  'for="10.81.234.7:65464"' => {
    handle: '****',
    timestamp: 1636701143666
  }
}
set Map(3) {
  'for="10.81.234.7:65462"' => {
    handle: '****',
    timestamp: 1636701143570
  },
  'for="10.81.234.7:65464"' => {
    handle: '****',
    timestamp: 1636701143666
  },
  'for="10.81.234.7:65468"' => {
    handle: '****',
    timestamp: 1636701143694
  }
}