Sometimes it might be necessary to manage a session lifetime based on business or security factors, and these might need to be specific to an operation in progress. Here are some helpful techniques for managing the timeouts more dynamically:
Understanding Session timeout accuracy
Before we go into more detail of setting the session timeouts – it’s important to know that the session timeout/cleanup is done somewhat ‘lazily’ in order to improve performance.
There is a fairly detailed technote that explains what this means in practical terms:
http://www-01.ibm.com/support/docview.wss?uid=swg21144905
Setting different session timeouts for Unauthenticated Sessions vs Authenticated Settings
Assuming you are using unauthenticated sessions on ISAM:
[session] ... create-unauth-sessions = yes
Then you might want to specify session timeouts that are specific for unauthenticated sessions vs those that are authenticated, this is easily done with the following configuration options:
For maximum lifetime configuration:
[session] ... unauth-timeout = 7200 auth-timeout = 600
Each of these override the standard timeout setting.
For inactivity lifetime configuration:
[session] ... unauth-inactive-timeout = 1200 auth-inactive-timeout = 600
These override the standard inactive-timeout setting.
Setting the maximum session lifetime per user via EAI
There is an advanced parameter than can be returned from an an EAI that can set the maximum lifetime of the session based on a specific end time. This allows you to use custom logic to set the lifetime on a per user, or per EAI operation basis.
The value must represent an absolute time expressed as the number of seconds since 00:00:00 UTC, January 1, 1970. The output of the UNIX time () function, for example, represents the correct format of this absolute time value.
I’ve worked with EAI’s in other articles here: https://philipnye.com/?submit=Search&s=EAI
Procedure:
- Configure the custom external authentication interface program to provide, in its authentication response, an HTTP header containing the session cache lifetime timeout value appropriate for that client. The required name of this header is:
am_eai_xattr_session_lifetime
Note: The name of this particular header is not configurable. The supplied header in the EAI will look something like the following:
am_eai_xattr_session_lifetime:1129225478
The value is a time the session should end – described in seconds since the Unix Epoch.
- Since this an “Extended EAI Attribute” you need to configure the custom external authentication interface program to additionally provide an HTTP header that specifies a comma-delimited list of HTTP header names that contain extended attribute values. WebSEAL should be configured to look for this header name in the [eai] stanza. The default name for this header is:
am-eai-xattrs
For example:
am-eai-xattrs: am_eai_xattr_session_lifetime
Setting the inactivity timeout per user via EAI
There is an advanced parameter than can be returned from an an EAI that can set the inactivity timeout of the session in seconds. This allows you to use custom logic to set the inactivity on a session on a per user, or per EAI operation basis. This value overrides the setting in the webseal reverse proxy configuration file.
The value is described as the number of seconds until the session will timeout due to inactivity.
Procedure:
- Configure the custom external authentication interface program to provide, in its authentication response, an HTTP header containing the session cache lifetime timeout value appropriate for that client. The required name of this header is:
am_eai_xattr_session_inactive_timeoutNote: The name of this particular header is not configurable. The supplied header in the EAI will look something like the following:
am_eai_xattr_session_inactive_timeout:120The value is the number of seconds of inactivity required in order to end the session.
- Similar to the above header this an “Extended EAI Attribute” you need to configure the custom external authentication interface program to additionally provide an HTTP header that specifies a comma-delimited list of HTTP header names that contain extended attribute values. WebSEAL should be configured to look for this header name in the [eai] stanza. The default name for this header is:
am-eai-xattrs
For example:
am-eai-xattrs:
am_eai_xattr_session_inactive_timeout
And you could use this in conjunction with the earlier EAI header as follows:
am-eai-xattrs: am_eai_xattr_session_inactive_timeout, am_eai_xattr_session_lifetime
Return Session activity to client/browser
It’s possible to return the remaining activity time to the browser to help JavaScript functions and other UI mechanisms handle a session timeout better.
This can be down using the settings in the webseal configuration file as follows:
[rsp-header-names] # # This stanza is used to define static HTTP headers which will be added # to every HTTP response from the WebSEAL server. This will provide the # administrator with the ability to insert some standard security headers # into the response, such as strict-transport-security, # content-security-policy and x-frame-options. # # Please note that the headers which are defined in this stanza will replace # any matching headers which might have been added to the response by a # junctioned application. # # If multiple headers of the same name are specified in this stanza all # but the last of the matching entries will be ignored. # # The format of each entry in this stanza is: # <header-name> = <header-value> # # For example, # strict-transport-security = max-age=31536000; includeSubDomains # # A special <header-value> of '%SESSION_EXPIRY%' can be used to # designate a header which will contain the remaining length of time, in # seconds, before the current local session expires. This value does not # include the overall session timeout for sessions which are managed by # the distributed session cache (DSC), but just the length of time before # the session expires in the local cache. # # For example: # session-timeout = %SESSION_EXPIRY% # session-timeout = %SESSION_EXPIRY%
Prevent Session activity on specific URLs
By default – session expiry based on activity is based on accessing ANY urls accessed protected by WebSEAL.
Specific URLs can be disabled from triggering the activity counter, by attaching a pop to the URL in the WebSEAL object space, or more simply using a newer setting in the configuration file to preserve inactivity on specific URLs.
The POP method is as follows:
pdadmin> pop create robot
pdadmin> pop modify robot set attribute preserve-inactivity-time true
pdadmin> pop attach /WebSEAL/hostA/junction/status.html robotAnd the configuration file method is found in the [session] stanza:
# # In some circumstances, you might not want the requests for a particular # resource to affect the inactivity timeout for a session. For example, you # might want to preserve the inactivity timeout when a server is polled by # an Ajax script running in the background of a client browser. # # The following configuration entry can be used to designate the resources # which, when accessed, should not impact the inactivity timeout for the # session. # # A comparison will be performed against either the full HTTP request line or # the decoded URI (controlled by the preserve-inactivity-timeout-match-uri # configuration entry). If a match is found the inactivity timeout for the # session will not be affected by the request. # # If a pattern has been specified using this configuration entry the legacy # preserve-inactivity-time POP functionality will be disabled. # # Multiple patterns can be specified by including multiple configuration entries # of the same name. # # You also have the option of matching a request using a host header, useful # when selectively enabling this functionality for a particular virtual host # junction. To selectively match an entry based on a particular host header # the configuration entry should be prepended with the string: [<host>]. # # Example: # preserve-inactivity-timeout = /jct/robot/* # preserve-inactivity-timeout = [www.ibm.com]/robot/* # preserve-inactivity-timeout = /some/polling/url*
Philip Nye 