Removal of a user session at login failure policy limit

If a reauthentication attempt fails, WebSEAL normally returns the login prompt again. Because the user still has a valid session and credential, the user can terminate the reauthentication process (by requesting another URL) and still participate in the secure domain by accessing other resources that do not require reauthentication.

However, the reauthentication process is impacted by the login failure policy (max-login-failures) if the user continues failed attempts to reauthenticate. When the number of failed reauthentication attempts reaches or exceeds the max-login-failures limit, WebSEAL responds according to the terminate-on-reauth-lockout configuration.

The terminate-on-reauth-lockout stanza entry is located in the [reauthentication] stanza of the WebSEAL configuration file. The purpose of this stanza entry is to control whether or not the user's session cache entry is completely removed upon reaching the max-login-failures policy limit.

The default setting is "yes". When the maximum number of failed login attempts (specified by the max-login-failures policy) is reached during reauthentication, the user is logged out of the original session and the user's session cache entry is removed. For example:

Now the user no longer has a valid session and credential. Although the user can still access unprotected resources, the user is required to login again for any request made to any protected resource.

A value of "no" for the terminate-on-reauth-lockout stanza entry is provided as backward compatibility for versions of WebSEAL prior to version 6.0.

With the "no" setting, the user is not logged out and the initial login session is still valid. The user can still access other resources that are not protected by a reauth POP.

When the maximum number of failed login attempts (specified by the max-login-failures policy) is reached during reauthentication, the user is locked out from accessing that resource as specified by the disable-time-interval policy setting, and notified of the lockout as specified by the late-lockout-notification configuration setting.

For both values of terminate-on-reauth-lockout, the specific response to the user is governed by the disable-time-interval and late-lockout-notification settings.

If the disable-time-interval policy is set to a number of seconds, the error message indicates the account is temporarily locked out.

If the disable-time-interval policy is set to "disable", the error message indicates the account has been disabled and that an administrator is required to reset (unlock) the account.

For complete details on the login failure policy mechanism, see Login failure policy ("three strikes" login policy).

Parent topic: Reauthentication