SAML sessions fill up with logout sessions that do not expire
Concerned version
Version: 2.0.9
Platform: (Nginx/Apache/Node.js)
Summary
- Use SAML
- Observe that the session database ends up being filled with sessions without _utime
Logs
A couple examples
{
"_session_id" : "f3ef2177a582d38309b1c05c05a3fe046dc54f01e0160107f9381ef6e8c64e70",
"sp-example" : 1,
"_session_kind" : "ISAML"
}
{
"_session_id" : "d61653cfd157799e8b9cefcc9f6b34e1aa958b3623f1cf5c52df5a757c292d66",
"_session_kind" : "ISAML"
}
Possible fixes
This was fixed in d31a14c3 and 277e0872 by making sure all calls to getSamlSession have a _utime
We need to warn users in release notes to check their SAML sessions database