Configure token and ec-cookie lifetime values

Configure token and ec-cookie lifetime values

vf-token-lifetime
The vf-token-lifetime stanza entry sets the lifetime timeout value (in seconds) of the vouch-for token. This value is checked against the creation time stamped on the cookie. Default is 180 seconds. We must take into account clock skew among participating servers.
For example:
[e-community-sso] vf-token-lifetime = 180

ec-cookie-lifetime
The ec-cookie-lifetime stanza entry specifies the maximum lifetime (in minutes) of the e-community domain cookie. Default is 300 minutes.
For example:
[e-community-sso] ec-cookie-lifetime = 300

We must take into account any clock skew among the participating domains. Clock skew means the system times differ on the relevant servers in each domain. When this difference approaches the value of vf-token-lifetime, the effective lifetime of the token is greatly reduced. When this difference exceeds the value of vf-token-lifetime, tokens from one domain cannot be valid for the other domain. Administrators should adjust vf-token-lifetime accordingly. However, when clock skew requires that vf-token-lifetime be set to a large value, the risk of replay attacks increases. In this case, administrators should consider synchronizing the system time on the relevant servers in each domain.
For information, see the web reverse proxy Stanza Reference topics..
Parent topic: Configuration of e-community single sign-on