The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,184 other subscribers
«
»

SVB PGB and DigiD security suddenly logged you out every 15 minutes despite the count down counter indicating otherwise.

Posted by jpluimers on 2021/12/14

From a while back, so I hope it has been fixed by now on the SVB PGB site.

The Dutch SVB (sociale verzekeringsbank, the [WayBack] organisation that implements social security schemes in The Netherlands) has a web-site to submit declarations for PGB ([Wayback] individualised subsidy for care, or personal care budget).

Authentication for the site goes through DigiD, the identity provider through which government related web-sites can verify the identity of Dutch residents on the internet.

In from somewhere in the mid 2010s until somewhere in 2020, the SVB PGB site would log you out when the 15-minute inactivity count-down in the lower right of the screen would reach zero.

After that, the behaviour changed: you would be logged out 15 minutes after logon, forcing one to login way more often. Each logoff/logon cycle had these effets:

  1. loosing the data you entered on the current page
  2. a cost to SVB of about EUR 0.15 excluding VAT for the logon
  3. loss of time and convenience for the end-user

Note that due to site stability reasons in the years before, I already printed each web-page to PDF before submitting, as there was no way to use the “back” button to see what information you had entered.

That way at least I had the information at hand when re-entering the same information. It also provided me of a “paper” trail of site navigation and entered data.

That’s why I reported it early March 2021:

It appeared that the logoff/logon sequence (even if the time-out was implemented correctly), invalidated a very important government mandated architecture principle: the NORA “ask information only once” principle: [Wayback] Eenmalige uitvraag – NORA Online.

Given this is mandatory (classified as noodzakelijk at the top of the graph at [Wayback] Grafisch overzicht relatie principes – NORA Online), I pushed for a quick resolving.

The original behaviour (with automatic renewing the authentication token between 10 and 15 minutes of the inactivity counter) was correct as per [Wayback] Koppelvlakspecificatie SAML DigiD v3.5 (definitief).pdf.

Twitter threads

–jeroen

Time out bug report

Filename length handling bug report

This entry was posted on 2021/12/14 at 06:00 and is filed under Authentication, Development, DigiD, Power User, Security, Software Development, Web Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»
 
%d bloggers like this: