add exact timeout validation for SSO sessions

1 files changed, 14 insertions, 2 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
index ca3117a79..ff294dc3d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
@@ -31,6 +31,7 @@ import java.io.InputStreamReader;
 import java.io.Reader;
 import java.io.StringWriter;
 import java.net.URI;
+import java.util.Date;
 import java.util.List;
 
 import javax.servlet.http.Cookie;
@@ -132,7 +133,7 @@ public class SSOManager {
 	}
 	
 	
-	public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) {
+	public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) throws ConfigurationException {
 		
 		// search SSO Session
 		if (ssoSessionID == null) {
@@ -144,8 +145,19 @@ public class SSOManager {
 		
 		if (storedSession == null)
 			return false;
-		
+			
 		else {
+			
+			//check if session is out of lifetime
+			Date now = new Date();
+			long maxSSOSessionTime = AuthConfigurationProvider.getInstance().getTimeOuts().getMOASessionCreated().longValue() * 1000;		
+			Date ssoSessionValidTo = new Date(storedSession.getCreated().getTime() + maxSSOSessionTime);
+			if (now.after(ssoSessionValidTo)) {
+				Logger.info("Found outdated SSO session information. Start reauthentication process ... ");
+				return false;
+			}
+						
+			//check if request starts an interfederated SSO session
 			if (protocolRequest != null && 
 					protocolRequest instanceof RequestImpl &&
 					storedSession.isInterfederatedSSOSession() &&