Session Timeout configuration and its
importance
Session timeout as
the name describes, is the time period after which the session object of a web
application expires. The timeout period can be a fixed period (Hard Timeout) or,
an inactivity period (soft timeout) when user does not refresh or request a
page. Once the session has reached the timeout, user is required to
re-authenticate to access the web application. Hard Session timeout is a
defined timeout period of the session ID irrespective of user activity. If the
application has a hard session timeout of say 9 hrs, the user will be asked to
re-authenticate after 9 hrs even if the session was used actively.
Hard and Soft
session timeout configuration is a security control measure. They protect the
user session from security attacks like CSRF, session fixation etc.
There are few
ways to configure hard and soft session timeout for applications. We will
discuss mainly the soft session timeout configuration for Oracle Identity
Manager (OIM) version 11gR2PS1.
If an application
is protected by an Access Management solution, then the application session
timeout must be configured through the Access Management tier.
For a standalone
application (not using Single Sign On), the (inactivity) session timeout
configuration can be done through the application deployment descriptor files (web.xml,
weblogic.xml (in case application is deployed in Weblogic Application Server))
or it can be configured using weblogic deployment plan.
In this post we will discuss
the session timeout configuration for OIM Web Applications using weblogic
deployment plan.
Good information on the Oracle Identity Manager and the other uses of it. The session configuration differs highly from the other software of other companies.
ReplyDeleteThanks Santhoshi
ReplyDeleteSanthoshi, I am glad that you liked the article and that it was informative and useful to you and thanks to all other readers as well for their feedback provided offline.
ReplyDeleteFYI Everyone, the session timeout steps work for OIM 11gR2 PS2 release as well.
ReplyDeleteHi Firdaus,
ReplyDeleteThe time I configured this, I see sessions not being shared by sysadmin sub-pages. For e.g: If I click on Manage IT Resource, it gives out error 401. If I click on Reconciliation, I need to login again.
Is there a way to reset this change or restore to default?
Copying Admin config back to oimserver config (policyA & policyB) dint help.
I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in Oracle Identity Manager.kindly contact us http://www.maxmunus.com/contact
ReplyDeleteMaxMunus Offer World Class Virtual Instructor led training on Oracle Identity Manager. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
For Free Demo Contact us:
Name : Arunkumar U
Email : arun@maxmunus.com
Skype id: training_maxmunus
Contact No.-+91-9738507310
Company Website –http://www.maxmunus.com