Determining webvpn cookie lifetime?

[Daniel Lenski]

David Woodhouse <dwmw2 <at> infradead.org> writes:

>
> On Sun, 2015-12-20 at 04:25 +0000, Dan Lenski wrote:
> >
> > Does one of these indicate how long the cookie will remain valid? My guess:
> >
> > - CSTP-Session-Timeout indicates the time after which the session
> >   will end no matter what (3 days here)
> > - CSTP-Idle-Timeout indicates the time after which the session will
> >   end, with no traffic (30 minutes here)
> > - CSTP-Disconnected-Timeout indicates the time after which the cookie will
> >   become invalid, after disconnection (30 minutes here)
>
> Those seem about right.
>
> > However, my testing appears to show that the server starts to reject the
> > cookie (openconnect -C COOKIE) much sooner than any of these timeouts would
> > indicate, a few minutes.
>
> Note that the session will also be terminated immediately if the client
> signs off. If you terminate openconnect with SIGINT it'll close the
> session. If you terminate it with SIGHUP or SIGTERM, it won't. (See the
> man page).
>

Thanks, .

It appears that one of the VPNs I'm using does not want the cookie to
be reused across multiple sessions.

When I connect like this, it works fine:

$ echo -n password | openconnect gateway.com -u USER --passwd-on-stdin

I can even send SIGUSR2 and get OC to pause/reconnect:

$ kill -USR2 $pid
...
Caller paused the connection
User requested reconnect
Attempt new DTLS connection
SSL negotiation with gateway.com
Connected to HTTPS on gateway.com
> CONNECT /CSCOSSLC/tunnel HTTP/1.1
...

However, if I use one process to get the webvpn cookie, and another
process to feed the cookie to the gateway, it is rejected, even if the
cookie is used IMMEDIATELY:

$ echo -n password \
| openconnect gateway.com -u USER --passwd-on-stdin --cookie-only \
| openconnect gateway.com --cookie-on-stdin --dump-http-traffic

Is there some other piece of "state" which is preserved within each
openconnect process, which changes when I try to use the cookie from
another process?

Dan