With CA SSO I've found a way to obtain the 'max' timeout value (number of seconds left) before a CA SSO session expires.
However, a PCI application would like to query the policy server to determine the number of seconds left in an SMSESSION before the user is logged out due to the idle timeout value configured in their security policy. It seems there's a way to configure URLs to not 'update' the timeout values in a CA SSO session. However, I cannot find a response that would return the number of seconds left for the 'idle' timeout value like there is for the 'max' timeout value.
So, my question is... What have others done to accurately inform a user that their session is about to end due to their session being idle for too long? Is the only option available today to have a separate timer in the user's browser? This is 'okay' but may not accurately reflect the "real" value in a CA SSO Session.
Thanks in advance!
Hi Jim. Unfortunately what you are looking for doesn't exist. The agent only checks if the session has expired once the user has performed some action on the current page. It is only then that the difference in current time, max idle time and max session time are evaluated to know if the user needs to be re-prompted for credentials. There is no "count down" type timer maintained by the policy server or the web agent.
I agree, but it wouldn't have been that difficult to implement it.
Policy server already has mechanism to set "HTTP_SM_TIMETOEXPIRE" header which stores the max time out value.
I think we can create an enhancement request to also set let's say HTTP_SM_IDLE_TIMETOEXPIRE which stores the idle time out value.
However, once the header is sent to the client, it is client's responsibility to regularly update this header on every refresh.
I agree that the enhancement can be requested but I didn't think that was the question. I thought Jim was asking for a way to query the policy server (or web agent) at any point in time to be able to display back to the user how much time is left before idle timeout will occur. So let's say idle is 5 minutes. Jim's client wants some type of count down to display back to the user that is being obtained from SiteMinder, not done by an application running on a browser. Jim, am I reading that correctly or did I miss your question?
We have a PCI application that is interested in occassionally making calls to find out the 'real' idle-timeout value remaining in the SMSESSION. So a header named HTTP_SM_IDLE_TIMETOEXPIRE could be returned on a URI that does not update the session.
I recently opened a case (00452096) and received excellent support as usual. Part of my posting here too is to understand better what others are doing to accurately reflect the 'real' idle timeout remaining in the user's browser.
Aside: This application will make calls to an URL that forces the idle timeout to be 'reset.' This is done to reflect (update) in the SMSESSION browser-side activity the application considers to be valid activity.
The application can set an idle timeout value in the browser but there is some concern this could get out of synch from the real idle timeout value in the session. (One reason is this application spans multiple web servers/platforms.) With an idle timeout header the application would be able to periodically synch the timers between the browser and the SMSESSION.
This application spans multiple country-level domains (TLDs). So a cookie provider will be used too. But I think we are good with how the cookie provider logic works to update the session in the cookie provider domain.
Bottom line: If there's a way to 'synch' the idle-timeout values between the browser's counter and the real idle-timeout value in the SMSESSION this would be powerful for sure. I'm also open to other ideas that I may have overlooked.
Thanks for the excellent feedback by all -- it is greatly appreciated!
Jim, I understand you are looking for practical solutions right now on this but in the meantime I have logged the following idea based on our support case. Please vote on this so that its at least available on a future version of the product!
Header for the Idle Timeout Value left in a CA SSO Session
FY for anyone stumbling upon this , I have impelemented this with Active Response.
Details here :
Tech Tip – How to automatically redirect user to login page after idletimeout