Prevention of session removal when the session lifetime expires
The session cache entry lifetime value usually determines the maximum session length. It is possible for a user to remain active for the full duration of a session lifetime. When the session lifetime value expires, the session cache entry is normally removed and the user is logged off, regardless of activity.
To prevent this sudden session termination, we can configure WebSEAL to allow the user to reauthenticate after the session timeout value has expired. After successful reauthentication, the lifetime value of the session cache entry is reset.
WebSEAL allows resetting of the session lifetime value, after it has expired, under the following conditions:
- Reauthentication based on inactivity policy is enabled (reauth-for-inactive=yes)
- The session lifetime value (timeout) has expired
- The time extension ("grace period") for the session lifetime is enabled and set to a reasonable value (for example, reauth-extend-lifetime=300)
- The user activates the reauthentication prompt by requesting a protected resource before the time extension ("grace period") expires
(WebSEAL does not allow repeated additions of the time extension to an end of session lifetime event.)
- Resetting the session cache lifetime is configured to be true (reauth-reset-lifetime=yes)
At the occurrence of a session lifetime expiration, WebSEAL checks the conditions listed above. If all conditions are met, the lifetime timeout is extended by the reauth-extend-lifetime value and the user's session cache entry is "flagged" as extended. The session cache entry (containing the user credential) is not removed and the user can proceed to access unprotected resources. When the user requests a protected resource, WebSEAL prompts the user to reauthenticate.
The reauth-extend-lifetime value should be set to a reasonable value so the user has enough time to trigger the reauthentication prompt. Note that if the user does not access a protected object during the "grace period", the reauthentication process is not activated. In this case, it is possible for the reauth-extend-lifetime value to expire, in which case the session cache entry is removed.
Typically, however, reauthentication policy is implemented to secure an application that is serving predominantly protected resources. A time extension ("grace period") of 5–10 minutes should be adequate time to allow an active user to trigger the reauthentication process, and therefore reset the session lifetime value.
Parent topic: Reauthentication