Advanced ISAM Session Timeout capabilities

Sometimes it might be necessary to manage a session lifetime based on business or security factors, and these might need to be specific to an operation in progress. Here are some helpful techniques for managing the timeouts more dynamically:

Understanding Session timeout accuracy

Before we go into more detail of setting the session timeouts – it’s important to know that the session timeout/cleanup is done somewhat ‘lazily’ in order to improve performance.

There is a fairly detailed technote that explains what this means in practical terms:

http://www-01.ibm.com/support/docview.wss?uid=swg21144905

 

Setting different session timeouts for Unauthenticated Sessions vs Authenticated Settings

Assuming you are using unauthenticated sessions on ISAM:

[session]
...
create-unauth-sessions = yes

Then you might want to specify session timeouts that are specific for unauthenticated sessions vs those that are authenticated, this is easily done with the following configuration options:

For maximum lifetime configuration:

[session]
...
unauth-timeout = 7200
auth-timeout = 600

Each of these override the standard timeout setting.

For inactivity lifetime configuration:

[session]
...
unauth-inactive-timeout = 1200
auth-inactive-timeout = 600

These override the standard inactive-timeout setting.

Setting the maximum session lifetime per user via EAI

There is an advanced parameter than can be returned from an an EAI that can set the maximum lifetime of the session based on a specific end time. This allows you to use custom logic to set the lifetime on a per user, or per EAI operation basis.

The value must represent an absolute time expressed as the number of seconds since 00:00:00 UTC, January 1, 1970. The output of the UNIX time () function, for example, represents the correct format of this absolute time value.

I’ve worked with EAI’s in other articles here: https://philipnye.com/?submit=Search&s=EAI

Procedure:

  1. Configure the custom external authentication interface program to provide, in its authentication response, an HTTP header containing the session cache lifetime timeout value appropriate for that client. The required name of this header is:
    am_eai_xattr_session_lifetime

    Note: The name of this particular header is not configurable. The supplied header in the EAI will look something like the following:

    am_eai_xattr_session_lifetime:1129225478

    The value is a time the session should end – described in seconds since the Unix Epoch.

  2. Since this an “Extended EAI Attribute” you need to configure the custom external authentication interface program to additionally provide an HTTP header that specifies a comma-delimited list of HTTP header names that contain extended attribute values. WebSEAL should be configured to look for this header name in the [eai] stanza. The default name for this header is:
     am-eai-xattrs

    For example:

    am-eai-xattrs: am_eai_xattr_session_lifetime

 

Setting the inactivity timeout per user via EAI

There is an advanced parameter than can be returned from an an EAI that can set the inactivity timeout of the session in seconds. This allows you to use custom logic to set the inactivity on a session on a per user, or per EAI operation basis. This value overrides the setting in the webseal reverse proxy configuration file.

The value is described as the number of seconds until the session will timeout due to inactivity.

Procedure:

  1. Configure the custom external authentication interface program to provide, in its authentication response, an HTTP header containing the session cache lifetime timeout value appropriate for that client. The required name of this header is:
    am_eai_xattr_session_inactive_timeout

    Note: The name of this particular header is not configurable. The supplied header in the EAI will look something like the following:

    am_eai_xattr_session_inactive_timeout:120

    The value is the number of seconds of inactivity required in order to end the session.

  2. Similar to the above header this an “Extended EAI Attribute” you need to configure the custom external authentication interface program to additionally provide an HTTP header that specifies a comma-delimited list of HTTP header names that contain extended attribute values. WebSEAL should be configured to look for this header name in the [eai] stanza. The default name for this header is:
     am-eai-xattrs

    For example:

    am-eai-xattrs: am_eai_xattr_session_inactive_timeout

And you could use this in conjunction with the earlier EAI header as follows:

am-eai-xattrs: am_eai_xattr_session_inactive_timeout, am_eai_xattr_session_lifetime

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: