If I have an active smsession for a protected resource and I am keep on refreshing the page, will my session be valid forever? Is there any specific time after which user session will timeout and user will be forced to login irrespective of whether he is idle or not? If so based on what parameter this timeout will be triggered? Can we modify that parameter?
Here I am looking for a particular scenario which goes like this.
Policy configuration - Agent has max session cache size enabled to some 3000.
I logged into the application and captured the SMsession using browser debug tools.
I logged off from application.
I replayed the session immediately and since web agent has session cache enabled, request got served from cache and it is successful.
Now I am simply refreshing the application with this replayed session.
How long I will be able to do that?
Is there any parameter to control that behavior.
What counter measures I have here apart from making max session cache size to zero.
Refer : Using SiteMinder to Secure against Session Hijacking
SiteMinder Enhanced Session assurance feature secures the siteminder session against session hijacking / replay attacks.
Hi KodandaSai Vutukuri,
What you are talking about is the Session hijack & replay attack.
Let me clarify your questions first :
You said -"Will my session be valid forever? Is there any specific time after which user session will timeout and user will be forced to login irrespective of whether he is idle or not?"
Ujwol => Yes, the user session will time out once the max time out is reached.
You can configure maximum session time out in the realm configuration page :
You said -"I replayed the session immediately and since web agent has session cache enabled, request got served from cache and it is successful."
Ujwol => For your scenario, you should consider implementing session store and have shorter validation period.
So, when the user logs off, the session will be removed from session store. Next time if the same session is replayed, if it's after the validation period (which can be shortened to as low as few minutes), it will force web agent to go to policy server for validation which is when the user will logged out as there will be no session in the session store.
Having said all this , if you want the full proof protection against the session hijack and replay attack, I would suggest implementing the session assurance feature.
Let me know if you have any further question.
I have checked my policies and found that maximum timeout is unchecked for my application. What does that mean? Does it have any default parameter to take or if we unchecked, it will take infinite value?
Also, I found the below statement from web agent guide.
Regardless of the cache size, all entries in the session cache of the Web Agent expire automatically after one hour
Is there any logs in web agent or web agent trace which explains , this condition was triggered.