Duo Access Gateway: Session timeout isn't effective

bradvido1 · ‎03-15-2018

We have set our session timeout on our DAG server to 86400 (one day), but users are still prompted to log in much more frequently.

Has anyone else had luck persisting DAG sessions for a long time?

Any tips would be much appreciated.

JohnMaguire1 · ‎03-15-2018

Hi @bradvido,

This is a known issue and we expect to have a fix in the next release of the Duo Access Gateway. May I ask whether you are using the Windows or Linux version of the Duo Access Gateway?

Thanks!

bradvido1 · ‎03-15-2018

We are using the windows version with the latest installer.

In the meantime, I have manually edited the config php file and increased the timeout and restarted IIS. Will this fix it? DAG is running, but i’m unsure if the changes are working because it hasn’t been enough time.

Lastly, is there an eta on the fix or a way to subscribe to it? Github issue or similar?

JohnMaguire1 · ‎03-15-2018

Hi @bradvido,

The issue we have identified is due to the following PHP configuration option the following: session.gc_maxlifetime = 1440

This causes PHP to clear sessions that are older than 24 minutes, even when the “Session Duration” is set longer. While we don’t generally suggest customers modify the software or configuration by hand, you may try adjusting 1440 to something much higher, such as 604800 (one week).

You will need to restart the PHP-FPM process in IIS in order for changes to the PHP configuration to take effect.

We expect the issue will be fixed in the next release. There is no exact timeline of when we will release the next DAG, but we expect a release sometime in Q2.

You can find information about new releases in the sidebar of the Duo Admin Panel Dashboard, or you can subscribe to the Release Notes category on community (click the circle in the top right).

bradvido1 · ‎03-15-2018

@JohnMaguire Awesome, thanks for the detailed responses! We will test the manual change until the fix is released

bradvido1 · ‎03-16-2018

@JohnMaguire We have updated the session.gc_maxlifetime in php.ini and restarted IIS.

Do you know if we also need to change any of the settings in config.php, such as session.state.timeout or session.cookie.lifetime in order for this to work, or should setting the session duration in the DAG Admin GUI be sufficient?

JohnMaguire1 · ‎03-16-2018

Hi @bradvido,

Simply setting the session duration in the admin panel should be sufficient. The application will handle the timeout.

JohnMaguire1 · ‎04-18-2018

Just wanted to post a quick update that this issue should be resolved for new installs of Duo Access Gateway 1.5.3 on Windows, and both new and existing installs of Duo Access Gateway on Linux.

In some cases, the fix may not apply to Windows upgrades. If you’ve stumbled across this thread, and upgrading to Windows Duo Access Gateway 1.5.3 does not fix your issue, please try the workaround suggested above.

bradvido1 · ‎04-18-2018

great. I’ll test it out when we get a chance, but since we implemented the fix manually, it’s been working

JohnMaguire1 · ‎04-18-2018

Yep, you should be set with that. The installer just sets the value in that config file to the higher number.

David_Macintire · ‎09-20-2018

WE are on version 1.5.2 Linux, what is the process of upgrading to the newest version. we are getting the 24 min time out.

DuoKristina · ‎09-20-2018

@David_Macintire You might find this helpful:

https://duo.com/docs/dag-linux#upgrading-duo-access-gateway

Duo, not DUO.

bradvido1 · ‎07-19-2019

@JohnMaguire any thoughts on why the session duration doesn’t work on mobile browsers?

DAG SSO expiration time on mobile browsers

I’d appreciate any insight you may have.