🐛 Bug: Session TTL Not Refreshed in UserSessionIdService.updateSessionId()
Description
In UserSessionIdService.java (line 116), there is a TODO comment indicating a potential issue with session TTL and expiration handling:
// TODO: Check if this not reset ttl and expiration. Check original SessionId service
updateSessionId(entity);
The current implementation of updateSessionId() only updates lastUsedAt and merges the entity:
public void updateSessionId(SessionId entity) {
entity.setLastUsedAt(new Date());
persistenceEntryManager.merge(entity);
}However, it does not recalculate or update:
before persisting the session.
Expected Behavior
Before merging the session entity, the service should:
- Recalculate
expirationDate and ttl
- Set these values on the
SessionId entity
- Persist the updated entity
This should follow the pattern used in jans-auth-server, where mergeWithRetry() ensures TTL is refreshed:
private void mergeWithRetry(final SessionId sessionId) {
final Pair<Date, Integer> expiration = expirationDate(sessionId.getCreationDate(), sessionId.getState());
sessionId.setExpirationDate(expiration.getFirst());
sessionId.setTtl(expiration.getSecond());
// then merges to persistence
}
Actual Behavior
- Session TTL (
expirationDate in LDAP) is not refreshed on updates
- TTL remains fixed at the value set during initial session creation
- Subsequent FIDO2 activity does not extend session lifetime
Impact
- ⚠️ Premature session expiration despite active usage
- ⚠️ Stale session state in persistence layer
- ❗ No crash or runtime failure — behavior is stable but incorrect
Affected Component
jans-fido2/server/src/main/java/io/jans/fido2/service/persist/UserSessionIdService.java
Callers Affected
AttestationService.java:355 — after successful FIDO2 registrationAssertionService.java:376 — after successful FIDO2 authentication
Steps to Reproduce
-
Start a FIDO2 registration or authentication flow tied to a session ID
-
Let the flow complete (invokes updateUserSessionIdOnFinishRequest())
-
Inspect the persisted session entry
-
Observe that:
expirationDate and ttl remain unchanged from creation time
Additional Observations
- The TODO comment explicitly references the original SessionId service as the correct implementation
updateUserSessionIdOnError() (where the TODO is placed) currently has no callers, making it effectively dead code
🐛 Bug: Session TTL Not Refreshed in
UserSessionIdService.updateSessionId()Description
In
UserSessionIdService.java(line 116), there is a TODO comment indicating a potential issue with session TTL and expiration handling:The current implementation of
updateSessionId()only updateslastUsedAtand merges the entity:However, it does not recalculate or update:
expirationDatettlbefore persisting the session.
Expected Behavior
Before merging the session entity, the service should:
expirationDateandttlSessionIdentityThis should follow the pattern used in
jans-auth-server, wheremergeWithRetry()ensures TTL is refreshed:Actual Behavior
expirationDatein LDAP) is not refreshed on updatesImpact
Affected Component
Callers Affected
AttestationService.java:355— after successful FIDO2 registrationAssertionService.java:376— after successful FIDO2 authenticationSteps to Reproduce
Start a FIDO2 registration or authentication flow tied to a session ID
Let the flow complete (invokes
updateUserSessionIdOnFinishRequest())Inspect the persisted session entry
Observe that:
expirationDateandttlremain unchanged from creation timeAdditional Observations
updateUserSessionIdOnError()(where the TODO is placed) currently has no callers, making it effectively dead code