...
Users were seeing an error from Apache webserver ‘Service unavailable’
Logs showed that Apache was rejecting user requests. The user had too many session authentication tokens [TODO: get log message]: e.g.
[Fri May 07 14:32:15.221392 2021] [auth_openidc:warn] [pid 5526:tid 139955393259264] [client 208.127.198.60:10332] oidc_authorization_request_set_cookie: the number of existing, valid state cookies (1) has exceeded the limit (1), no additional authorization request + state cookie can be generated, aborting the requestApache is configured to allow one token, but inspection of the user machine showed they had three tokens.
The number of tokens arose from multiple simultaneous authentication attempts.
A configuration change was rolled-out just prior to the issue being observed.
The limit on tokens is set with API Gateway
OIDCStateMaxNumberOfCookies 1 true('true' flushes out any excess tokens), but this setting was needed to be added manually because the infrastructure configuration tool (Ansible) couldn’t cope with that setting), so after the setting was lost there were at least two ways users could end up with multiple tokens (cookies):Multiple logins across different browser sessions (within the same browser) would create multiple cookies.
If the user’s session expired due to inactivity, and the user then logged-in again, this new log-in would also create a duplicate cookie.
...