I can answer this for a particular product suite: WebSeal and
WebSphere using LTPA cookies, due to some research I can't directly
share.
If a WebSeal junction has a 15 minute idle out, and WebSphere a 20
minute idle out, users cannot re-connect to the WebSphere application
after 15 minutes, but resources are held open on WebSphere for the
whole 20 minutes. In general, it's best to have WebSeal use a shorter
idle timeout than the application server behind it as this leads to
less confusion for the user and greater security as the application
server cannot be reached when WebSeal does not allow it.
If WebSeal forcefully logs off your users (say via pdadmin), apps
hidden behind WebSeal junctions are generally not notified but also
do not see any further connectivity until a user logs in again. If
you want to see logout events, I'm moderately certain there is no
method to notify the WebSphere application except via using a custom
logout page outside your protected junction ... and by that time you
will no longer have access to the WebSphere application state, so I'm
not sure what that would gain you.
An application which is WebSeal aware can log off an individual
WebSeal session via an API call and reduce the possibility of this
difference being exploited. This is best practice.
thanks,
Andrew
On 03/05/2006, at 10:45 PM, Keith Duffin wrote:
> What about instances where an identity framework is used, such as CA's
> Siteminder or IBM's Identity Mangament Suite? Closing the browser
> will
> result in the session begin invalidated - I'm not sure if that
> cascades to
> releasing other resources or not.
- application/pkcs7-signature attachment: smime_p7s
Received on May 03 2006
Intro
