Symantec Access Management

  • Private Community
 View Only

 idle session time out across browser tabs

Kunal Shah's profile image
Kunal Shah posted Apr 21, 2021 01:07 AM
Hi All, I am not sure if this is a siteminder issue as this can happen to any application maintaining sessions across the browser tabs.

We have an application app1.forwardinc.com The user logs in and smsession is set. User lands on protected home page https://app1.forwardinc.com/homepage.html

From the home page the user clicks on a link and another tab opens up with url https://app1.forwardinc.com/newpage.html

Both these pages are protected in the same domain, in different realm, with the same agent. The idle time is 8 hours and max time out is 10 hours for both realms.

The problem is, when the user keeps working on this new tab, the first tab gets idle time out. So when user finishes the work and goes back to the first tab, he/she is asked to login again. Is there a way to keep session active across the tabs?

From user's perspective, he is working on the same application in different tab, so when he finishes the work in one tab and goes back to the application, it should not idle time out.
James Atchley's profile image
Broadcom Employee James Atchley posted Apr 22, 2021 09:55 AM

Hello, 
Have you had the opportunity to review a header trace from the browser side? 
You looking to confirm that the SMSESSION cookies are being updated in the same domain scope and session value and not with zone cookies. 
Then you want to review the agent log / Trace logs for all the agent in the transactional flow. The Agent protecting the "app1" and the the cookie provider trace if applicable. Your looking to confirm requests handled by the agent as expected and sessions updated. 
If this is Chrome, then attempt the same workflow in a different unrelated browser, like firefox.
I say unrelated as edge now has Chrome at its core. 
From Edge dev Tools: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42
If the "newpage.html" is active or js based, communicating with the backend application directly, it might be bypassing web calls to the web server (IIS / Apache ...) and therefore not acted on by the Siteminder agent. 

Kunal Shah's profile image
Kunal Shah posted Apr 22, 2021 10:44 AM
@James Atchley

Hi, thanks for your response,

Yes I checked the header trace. When switching to tab2, with every request the same smsession cookie is being updated. That is actually a good sign because it means that the updated smsession cookie will be used by all the tabs and tabwhich is idle will not be timed out. 

Surprisingly we don’t have this issue anymore. The tester who reported this issue earlier has confirmed that he is no longer seeing this issue.  I am not sure what changed, I didn’t change anything from my end 😊. 

My understanding is that the session is for the browser and not for the tab. So, if there is a smsession cookie and two tabs are opened, both tabs will share the smsession cookie. If I move away tab1 to tab2 and keep working in tab2, tab2 will keep updating smsession cookie (as it is doing in my case) and that updated cookie will be used by tab1 when I return to tab1, so there should not be any session expiry. That should be the expected behaviour. 

That is why when this issue was reported to me first time, I found it very odd. 

So far, I tested with Edge, Chrome and Firefox and they all show the same and expected behaviouri.e. session is maintained between the tabs and not expiring.