Cache entry lifetime timeout value

The timeout stanza entry, located in the [session] stanza of the WebSEAL configuration file, sets the maximum lifetime timeout value for all user session information stored in the WebSEAL authenticated or unauthenticated session caches.

WebSEAL caches credential information internally, so the session cache timeout stanza entry dictates the length of time authorization credential information remains in memory on WebSEAL.

The stanza entry is not an inactivity timeout. The value maps to a "credential lifetime" rather than a "session inactivity timeout". Its purpose is to enhance security by forcing the user to reauthenticate when the specified timeout limit is reached.

The default session cache entry lifetime timeout (in seconds) is 3600:

WebSEAL does not impose a maximum value for this stanza entry.

A value of "0" disables this timeout feature (lifetime value is unlimited). The control of cache entries is then governed by the inactive-timeout and max-entries stanza entries.

When a cache is full, the entries are cleared based on a least-recently-used algorithm. See Maximum session cache entries value. This stanza entry is ineffective for authentication methods that include authentication data in every request to the WebSEAL server, such as basic authentication (BA), SPNEGO, and some forms of certificate authentication. Those authentication methods automatically reauthenticate the user to the WebSEAL server if the user's session has been deleted due to inactivity or lifetime timeouts. The result is repeated resetting of the inactive and lifetime timeout values. Tip: We can configure WebSEAL to return session timeout information to the client by adding a <header-name> = %SESSION_EXPIRY% entry to the [rsp-header-names] stanza. See [rsp-header-names] stanza.

Parent topic: WebSEAL session cache configuration