DAG SSO session duration time on mobile browsers

bradvido1 · ‎07-19-2019

We use Duo Access Gateway for SAML/SSO and it works well. We have configured our session duration parameter to 1 week. So if a user signs into DAG in their chrome browser on their desktop, they never have to sign into any other applications for 1 week as long as they’re using the same browser.

However on mobile, this does not work. In both Safari and Chrome on mobile iOS, the timeout seems to be much shorter, possibly 8 hours.

This is unexpected behavior and drives mobile users crazy. Does anyone else have the same problem?

For clarity, this is where the session duration parameter is located that I’m referring to

mkorovesisduo · ‎07-23-2019

Hey bradvido, I brought this up to our development team. They indicated that, due to the way that iOS handles cookies, this is expected behavior. It is on our radar, but I’m not sure whether our development team will be able to work around it in the near-term as I believe it is an OS-level limitation.

bradvido1 · ‎07-23-2019

Hmm, this seems strange, especially since Chrome on iOS handles its cookies within its own app.

If you can provide more details, I’d be happy to help troubleshoot. I’m a web developer and am willing to dig in.

At the very least, it should be documented in the DAG “Session Management” section that iOS will not work.

JohnMaguire1 · ‎07-26-2019

Basically the problem as we understand it is that the DAG uses session cookies (i.e. cookies that are removed by the browser when the browser is shutdown.) Session cookies are used as a security measure. The session duration is a server-side setting to invalidate cookies after the allowed time.

The iOS scheduler will sometimes kill apps that have not been used recently, especially when other apps need resources. When this happens, Safari removes its session cookies, including the DAG cookie.