Extension of the session cache entry lifetime value

It is possible for the lifetime value of a session cache entry to expire while the user is performing a reauthentication. This situation occurs under the following conditions:

• The user requests a resource protected by a reauthentication POP
• The user's session cache entry lifetime value is very near expiration

The lifetime of a session cache entry can expire after the reauthentication login form is sent to the user and before the completed login form is returned. When the session cache entry lifetime value expires, the session cache entry is deleted. When the login form is returned to WebSEAL, there is no longer a session for that user. In addition, all cached user request data is lost.

We can configure a time extension, or "grace period," for the session cache entry lifetime value if the session cache entry lifetime expires during reauthentication. The reauth-extend-lifetime stanza entry in the [reauthentication] stanza of the webseald.conf configuration file provides this time extension, in seconds. For example (5 minutes):

[reauthentication]
reauth-extend-lifetime = 300

The default value, "0", provides no extension to the session cache entry timeout value.

The reauth-extend-lifetime stanza entry applies to users with existing session cache entries and who are required to reauthenticate. For example:

• Users performing reauthentication resulting from POP security policy
• Users performing reauthentication resulting from session cache inactivity
• Users performing step-up authentication

The reauth-extend-lifetime option is intended to be used in conjunction with the reauth-reset-lifetime=yes option.

Parent topic: Reauthentication