Session Token (non-) expiration settings problem


Once having a user authenticated with user name and password, and, optionally, having MFA verified, we have a Session Token, returned as a part of Authentication Response.

The problem is, that Okta seem not setting or checking the session token expiration, and it can be reused forever.
For example, on one of my instances I keep reusing it for more almost two weeks, even after I changed my password. Okta just keeps providing me with fresh SAMLs every hour - in exchange for the same “one time token”.

Please see here for details and logs.


Another example. I authenticated and verified with my MFA almost 4 days ago. Latest logs - show that the same authentication response session token can be reused to access different Okta apps SAMLs:

Having the authentication response from 3 days ago:

23:15:10.470 AuthenticationResponse [5]
23:15:10.471 .AuthenticationStatus: SUCCESS
23:15:10.474 .ExpiresAt: 5/13/2021 18:00:01 +00:00 => expired: -3.09:15:09
23:15:10.476 .RelayState:
23:15:10.478 .SessionToken: 201…p4x
23:15:10.480 .StateToken:

We read Okta app’s home page:

23:15:10.482 HomePath: /home/amazon_aws/0oa…296/xxx


Returned web form includes encoded SAML in hidden “SAMLResponse” input fileld:

23:15:12.045 SAML[11000]: 3B-D8-26-AA-08-4A-FB-1D-8F-B3-44-D5-7E-34-A8-EB-64-54-5D-D2

Using the same old authentication response session token:

08:57:18.676 AuthenticationResponse [5]
08:57:18.680 .AuthenticationStatus: SUCCESS
08:57:18.684 .ExpiresAt: 5/13/2021 18:00:01 +00:00 => expired: -3.18:57:17
08:57:18.687 .RelayState:
08:57:18.692 .SessionToken: 201…p4x
08:57:18.695 .StateToken:

we now read a different app page:

08:57:18.699 HomePath: /home/amazon_aws/0oa…a297/xxx


and receive a different valid SAML:

08:57:21.807 SAML[25084]: E1-D9-91-04-D2-65-F6-02-DF-9B-A8-AE-C3-8B-A1-9B-85-A5-97-14

Any reply or escalation, please?

Can you open a support case for this to get assistance?

Thank you, Andrea

Opened support request 01119216 with Okta Global Customer Care