Cache entry inactivity timeout value
The inactive-timeout stanza entry, located in the [session] stanza of the WebSEAL configuration file, sets the timeout value for user session inactivity.
For example, if a user is inactive for a period of time longer than the inactivity timeout, WebSEAL either deletes the user's session entirely or flags the session as requiring re-authentication. For information on requiring re-authentication for inactive sessions, refer Reauthentication with external authentication interface. The default login session inactivity timeout (in seconds) is 600:
[session] inactive-timeout = 600The value for a particular session cache (either unauthenticated or authenticated) can be supplied by prefixing the configuration entry with the session cache name (either unauth or auth). For example:
unauth-inactive-timeout = 300
WebSEAL does not impose a maximum value for this stanza entry.
A value of "0" disables this inactivity timeout feature (inactivity timeout value is unlimited). The control of cache entries is then governed only by the timeout and max-entries stanza entries.
When a cache is full, the entries are cleared based on a least-recently-used algorithm. See Maximum session cache entries value. This stanza entry is ineffective for authentication methods that include authentication data in every request to the WebSEAL server, such as basic authentication (BA), SPNEGO, and some forms of certificate authentication. Those authentication methods automatically reauthenticate the user to the WebSEAL server if the user's session has been deleted due to inactivity or lifetime timeouts. The result is repeated resetting of the inactive and lifetime timeout values.
Preserve inactivity timeout
In some circumstances, we might not want the requests for a particular resource to affect the inactivity timeout for a session. For example, we might want to preserve the inactivity timeout when a server is polled by an Ajax script running in the background of a client browser.
You can create security policies to specify the resources that must not affect the inactivity timeout of the user session. To define this security policy, we must create a protected object policy (POP) with an extended attribute named preserve-inactivity-time. We can attach this POP to any object that requires the inactivity timeout to be unaffected by a request. Remember that all children of the object with the POP also inherit the POP conditions.
Use the following commands to create and apply the preserve-inactivity-time POP:
- pdadmin pop create
- pdadmin pop modify
- pdadmin pop attach
Create a POP called robot with the preserve-inactivity-time extended attribute and attaches it to the status.html object:
pdadmin> pop create robot pdadmin> pop modify robot set attribute preserve-inactivity-time true pdadmin> pop attach /WebSEAL/hostA/junction/status.html robot
When this policy is in place, requests made to status.html will not impact the inactivity timeout for the user session. Tip: We can configure WebSEAL to return session timeout information to the client by adding a <header-name> = %SESSION_EXPIRY% entry to the [rsp-header-names] stanza. See [rsp-header-names] stanza.
Parent topic: WebSEAL session cache configuration