Layer7 Access Management

Expand all | Collapse all

IdleTimeoutURL and unprotected urls

Jump to Best Answer
  • 1.  IdleTimeoutURL and unprotected urls

    Posted 03-14-2014 11:25 AM

    Hello,

    For my website, 90% of the content is unprotected.  Currently if a user's session times out, he is redirected to the IdleTimeoutURL.  Is it possible to only send the user to the IdleTimeoutURL if the user is trying to view access protected content?

    Current user story:
    1. User logs in
    2. User views unrestricted content.
    3. User is idle for a few hours
    4. User tries to view unrestricted content again
    5. User is redirected to IdleTimeoutURL

    I would like to change step 5, so the the user only gets sent to the IdleTimeoutURL when he next tries to view access protected content.  Or possible just has to log in again when trying to next view access protected content.

    thanks
    chad



  • 2.  RE: IdleTimeoutURL and unprotected urls
    Best Answer

    Posted 03-16-2014 11:04 PM
    Hi Chad,
     
    When we say that a user is redirected to the configured value for IdleTimeoutURL, it means that when SMSESSION cookie
    was set to LOGGEDOFF and the user is redirected to IdleTimeoutURL page as per design or Webagent code trigerred for IdleTimeoutURL.
     
    A user should be successfully able to navigate through unprotected content on your website without any time restriction
    from Webagent if the user never started a SM session (Authenticated and AZ through Siteminder).
    For protected pages,he can be challenged and Authenticated to begin a session.
     
     
     
    Your last sentence in the question does open a room for solution when you say :
    "Or possible just has to log in again when trying to next view access protected content."
     
    if you remove-IdleTimeoutURL, there will be no redirection after the timeout and hence when user sends a get request for a unprotected page -IsProtected() will be called but User wont be challenged by Webagent for as a part of Authentication processing.
    In this way, a user should not be challenged for unprotected resources and should be challenged(login page that you want) on requesting protected resources.
     
    I donot have lab to test and confirm this, but believe my uderstanding is corect, give a try.
    Also its purely your call as it has different user experience.