The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,572 other followers

SVB PGB and DigiD security suddenly logged you out every 15 minutes despite the count down counter indicating otherwise.

Posted by jpluimers on 2021/12/14

From a while back, so I hope it has been fixed by now on the SVB PGB site.

The Dutch SVB (sociale verzekeringsbank, the [WayBack] organisation that implements social security schemes in The Netherlands) has a web-site to submit declarations for PGB ([Wayback] individualised subsidy for care, or personal care budget).

Authentication for the site goes through DigiD, the identity provider through which government related web-sites can verify the identity of Dutch residents on the internet.

In from somewhere in the mid 2010s until somewhere in 2020, the SVB PGB site would log you out when the 15-minute inactivity count-down in the lower right of the screen would reach zero.

After that, the behaviour changed: you would be logged out 15 minutes after logon, forcing one to login way more often. Each logoff/logon cycle had these effets:

  1. loosing the data you entered on the current page
  2. a cost to SVB of about EUR 0.15 excluding VAT for the logon
  3. loss of time and convenience for the end-user

Note that due to site stability reasons in the years before, I already printed each web-page to PDF before submitting, as there was no way to use the “back” button to see what information you had entered.

That way at least I had the information at hand when re-entering the same information. It also provided me of a “paper” trail of site navigation and entered data.

That’s why I reported it early March 2021:

It appeared that the logoff/logon sequence (even if the time-out was implemented correctly), invalidated a very important government mandated architecture principle: the NORA “ask information only once” principle: [Wayback] Eenmalige uitvraag – NORA Online.

Given this is mandatory (classified as noodzakelijk at the top of the graph at [Wayback] Grafisch overzicht relatie principes – NORA Online), I pushed for a quick resolving.

The original behaviour (with automatic renewing the authentication token between 10 and 15 minutes of the inactivity counter) was correct as per [Wayback] Koppelvlakspecificatie SAML DigiD v3.5 (definitief).pdf.

Twitter threads

–jeroen


Time out bug report

Filename length handling bug report

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: