Layer 7 Access Management

Expand all | Collapse all

Why is user logged out before max timeout? Why is SM_TIMETOEXPIRE value dropping drastically?

Jump to Best Answer
  • 1.  Why is user logged out before max timeout? Why is SM_TIMETOEXPIRE value dropping drastically?

    Posted 05-21-2019 11:22 PM

    We are facing an issue where users are unpredictably getting logged out much sooner than the max timeout while being active. For example, a user will login at 8:00am and even though the max timeout is set to 10 hours and the user is active, the user sometimes gets logged out at a time which is less than 10 hours (i.e 10:13am, 2:46pm etc.). While investigating our logs, we noticed that the SM_TIMETOEXPIRE value in the request header is much lower than it should be.

     

     

    We are not able to determine what is causing this to occur, however there is one way we were able to reproduce the issue. Let's say there are two applications that use the same Siteminder SSO. In Chrome, I open application #1 and am directed to the Siteminder SSO login. In another tab, I open application #2 and am directed to the Siteminder SSO login. On application #1, I login and in the logs I can see that the SM_TIMETOEXPIRE value is 10 hours as expected. Then I go back to the other tab where I'm at the login screen for application #2 and I login again with the same credentials (yes I know this defeats the purpose of SSO) and when I check the logs, I notice that the SM_SERVERSESSIONID in the request header is different for both logins and that one of the SM_TIMETOEXPIRE values is in tact and the other is drastically smaller (i.e. less than 120 seconds). Note: Users have experienced the premature logout without doing the above scenario where a user logs in twice in the same browser.

     

    1) Are there any scenarios in which the user (who is active) is logged out earlier than the max timeout?

    2) Are there any scenarios that would cause the SM_TIMETOEXPIRE max timeout value to drop drastically?

    3) Is it possible for a user to login with the same credentials twice and be given two different session IDs? If so, does siteminder invalidate one of the sessions by drastically reducing the SM_TIMETOEXPIRE value on one of the sessions?

    4) Any theories one what may be causing users to get prematurely logged out or to cause the SM_TIMETOEXPIRE value to drop drastically?



  • 2.  Re: Why is user logged out before max timeout? Why is SM_TIMETOEXPIRE value dropping drastically?
    Best Answer

    Posted 05-23-2019 01:21 PM

    Hi Viren, 

     

    I've not personally heard  of an issue like this before, seems pretty unusual.

     

    1) Are there any scenarios in which the user (who is active) is logged out earlier than the max timeout?

    >> Logged out vs having their remaining time reduced are different things. Logged out could happen if the session was logged out on another tab. Time remaining being reduced would be more if they moved to another realm with a shorter timeout. Or if they were idle longer than they realized.

     

    2) Are there any scenarios that would cause the SM_TIMETOEXPIRE max timeout value to drop drastically?

    >> I can only think of where the time had actually passed. Perhaps in another tab using the same session and it has synched with the older session.

     

    3) Is it possible for a user to login with the same credentials twice and be given two different session IDs? If so, does siteminder invalidate one of the sessions by drastically reducing the SM_TIMETOEXPIRE value on one of the sessions?

    >> Yes, for example if you use two different browser types, there is no session sharing so they end up with unique values. If you use two tabs, since you have both login forms already loaded, on the initial login the serversessionid will be different. But as soon as you refresh the tabs, the serversessionid, serversessionspec,  SMSESSION cookie, etc should synch up.

     

    4) Any theories one what may be causing users to get prematurely logged out or to cause the SM_TIMETOEXPIRE value to drop drastically?

    >> Very hard to tell without data. Maybe an old cookie is being replayed from cache, hence the sudden drop in time or it is even expired already causing the logout. Or as I said, there are different realm timeouts in play, but no EnforceRealmTimeouts set in ACO. 

     

    If this is a serious or widespread issue, you may want to consider opening a Support case to get assistance.

     

    Thanks!