Layer 7 Access Management

Expand all | Collapse all

LCL Addon - LCL attribute is not getting deleted after session is ended

  • 1.  LCL Addon - LCL attribute is not getting deleted after session is ended

    Posted 02-04-2019 02:06 PM

    Hi Everyone,

     

    Hope everyone is doing great. 

    I am facing a small issue while implementing the LCL addon. LCL is limit concurrent session. I am able to capture the user's session in LCL attribute (defined in SMAuthLimit.cfg file that come with LCL add-on), but when i sign-out or when user session is ended, the LCL attribute shall get deleted. But attribute is not getting deleted and thus even if user logs in day after, since the LCL attribute is already updated (max session allowed is 1 and then user should get pop-up), it shall get deleted after user session is ended. 

     

    Please suggest or point where i am going wrong. 

     

    Thanks,

    Shivam   



  • 2.  Re: LCL Addon - LCL attribute is not getting deleted after session is ended

    Posted 02-04-2019 05:36 PM

    It appears there has been changes to how the LCL works and my memory is based on much much older version so take it as grain of salt.

     

    When the user gets authenticated, the sessionID gets stored in the user attribute.

    When another same user gets authenticated then this new sessionID gets stored in the user attribute overwriting the previous value.

    When the user tries to access resources for authorization, LCL will check if the submitted sessionID matches the value stored in the user attribute.

    If the value match then granted access, if not rejected.

     

    Because it is always the latter user session that would be valid, there is actually no reason to remove the sessionID from the user attribute when the user logout, although it would be good if it did.

    I think this is where you are reporting this issue and I must admit that LCL might have changed(with improvements).

     

    When the same user tries to access the next day, assuming the MaxTimeout has already exceeded, the user must Authenticate again and the new sessionID gets written in to the user attribute.

    So whatever value there was before has no meaning now.



  • 3.  Re: LCL Addon - LCL attribute is not getting deleted after session is ended

    Posted 02-05-2019 11:56 AM

    Thanks for your reply. 

     

    For me, i have max session limit as 2. 

    Therefore, when a user is autheticated - LCL (custom multivalue attribute) gets updated with session value

    Same user opens another browser, LCL attribute gets updated with another sessio value. 

    At this point, same user has 2 sessions and LCL has 2 session values

     

    Same user opens a third browser, now since the limit is 2 - it get's redirected to the smauthlimit.jsp page. Now if i close all the browser - ideally the session should ended. 

     

    I tried to login now from a browser and it always redirect me to smauthlimit.jsp. The overwriting part is not happening. 

    Behavior is quite different than what mentioned in the LCL documentation.