Hi KodandaSai Vutukuri,
What you are talking about is the Session hijack & replay attack.
Let me clarify your questions first :
You said -"Will my session be valid forever? Is there any specific time after which user session will timeout and user will be forced to login irrespective of whether he is idle or not?"
Ujwol => Yes, the user session will time out once the max time out is reached.
You can configure maximum session time out in the realm configuration page :
You said -"I replayed the session immediately and since web agent has session cache enabled, request got served from cache and it is successful."
Ujwol => For your scenario, you should consider implementing session store and have shorter validation period.
So, when the user logs off, the session will be removed from session store. Next time if the same session is replayed, if it's after the validation period (which can be shortened to as low as few minutes), it will force web agent to go to policy server for validation which is when the user will logged out as there will be no session in the session store.
Having said all this , if you want the full proof protection against the session hijack and replay attack, I would suggest implementing the session assurance feature.
Let me know if you have any further question.
Regards,
Ujwol Shrestha