USE CASE :
The user logs into the application.
He leaves the application IDLE for X minutes ( where X = Idle Time out configured for the Realm)
The user can still continue to see the application even after the idletimeout as long as he doesn’t refresh the page.
The requirement is that , once the idle time out is reached, the application should automatically redirect the user to the login page and log the user out of the current session.
SOLUTION (HIGH LEVEL) :
- Implement an active response to set an HTTP resposne header “HTTP_IDLE_TIMETOEXPIRE” with the actual idle timeout for the current session. (Note: there is an OOTB header “HTTP_SM_TIMETOEXPIRE ” for max time out but none for idle time out in CA SSO )
- Create a following meta tag to refresh the page after the idle time out plus an additional 5 seconds :
<META http-equiv=refresh content=”Read value from Idle timeout HTTP header + 5 seconds” >
Once the request reaches web agent, it detects the session is already idled out, so it logs off the current session and redirect to the login page.
INSTRUCTIONS :
- Create an Active Response to invoke the attached Active Response class
2. Associate the above ActiveResponse with the “OnAccessAccept” rule.
3. Compile and deploy the attached GetIdleTimeOutActiveResponse class to to directory <PS_Install_directory>siteminder\config\properties. The logic to retrieve the IdleTimeout of the current session is as below :
public String
invoke(ActiveExpressionContext context,
String param)
throws Exception
{
String idleTimeout ;
SessionInfoContext sInfoCtx= new SessionInfoContext(context);
APIContext apiContext = context.getAPIContext();
long toRet = sInfoCtx.getIdleTimeout();
if (toRet != -1)
{
//Logger.logInfo("Session IdleTimeout " + toRet );
logInPSTrace(apiContext, "Session IdleTimeout : " + String.valueOf(toRet));
idleTimeout = String.valueOf(toRet);
}
else
{
logInPSTrace(apiContext, "FAILED to get Session IdleTimeout");
idleTimeout = new String("ERROR");
}
return idleTimeout;
}
4. Restart Policy server.
5. For the test, we are using classic ASP script on the client side as below :
<tr>
<td colspan=2>Your session will idleout in :<b> <%= GetAttribute("HTTP_IDLE_TIMETOEXPIRE")%> </b> seconds</td>
</tr>
<%
response.write "<META http-equiv=refresh content=" & GetAttribute("HTTP_IDLE_TIMETOEXPIRE")+5 & ">"
%>
ATTACHEMENT :
- Active Response java class :
- sample client script :
TESTING :
For the test, I have set the realm idletimeout = 60 seconds & max time out = 300 seconds :
- Fiddler :