Description
Due to the latest cookie restrictions made by modern web browser, eg: samesite cookie, I'm wondering if it were time to rewrite entirely the session backend used to store SAML2 requests.
Here we have how djangosaml2 handles the persistence, in saml_session cookie:
djangosaml2/djangosaml2/cache.py
Line 71 in 57ad2ba
I'd abadon cookie storage and move to a DB storage (RDBMS or NoSQL). The SAML2 requests alwasy come with an ID and this will be involved in lookup. This will also introduce a stronger replay attack prevention strategy, based on parsing and matching the SAML2 request on all those already stored, nothing else.
In each stored saml2 request there will be a link to user that have been authenticated with it and also the SAML2 response as evidence of that.
They would have an expiration time equal to the corrisponding SAML2 NotOnOrAfter condition and it would be periodically purged (scheduled or NoSQL strategy like Redis TTL).