Closed GoogleCodeExporter closed 9 years ago
What about setting the idle timeout in PWM to the same value as NAM is using?
Original comment by jrivard
on 12 Jun 2013 at 3:49
Thanks for your suggestion, but unfortunately that won't fix my issue. A use
case to explain my business requirement:
User X gets to work on 9.00am and logs in to AM to do something in PWM. He
opens a couple of tabs in his browser to open application A, B and C which are
also protected by NAM. User X continues to work in application A,B and C during
the day, but not in the PWM application.
With the current behaviour PWM will logout the user from NAM, because of the
idle timeout. If I make the PWM idle timeout the same as the NAM timeout it's
not going to make any difference, because the idle time of NAM will get updated
by accessing application A,B and C, but not the idle time of PWM. This
eventually leads to NAM extending the session time, but PWM will logout the
user anyway, because the user is idle within the PWM application.
Therefore my only option is to disable the idle timeout of PWM and let NAM take
care of the session timeout as PWM is a protected resource behind NAM.
Original comment by sebastia...@gmail.com
on 12 Jun 2013 at 6:23
This seems like an uncommon use case. Users don't typically go to PWM unless
they are forced to because they need to make a security change, neither of
which is common, and neither of which is good idea with having multiple
windows/tabs open when making credential changes.
Nevertheless, how about changing the PWM logout url to something that doesn't
invoke a NAM logout, such as your main portal page?
Original comment by jrivard
on 13 Jun 2013 at 6:12
[deleted comment]
Thanks both for your feedback. Ideally the solution that Jared describes is the
best fix. Changing the PWM logout URL is not going to work well in my
situation, because we do want to logout from NAM when a user presses the logout
button. This is because we are implementing single logout from each application
behind NAM.
So the there actually 2 options to get this fixed:
- PWM internally times the session out upon a idle timeout, but not calling the
logout URL
- Implement a seperate logout URL configuration option independent of the
logout URL that is connected to the logout button
Original comment by sebastia...@gmail.com
on 14 Jun 2013 at 5:48
Added option in Settings -> User Interface -> Show Idle Timeout to control the
display and redirect action of the idle timeout setting. Changes are in svn
revision 573. Please re-open this issue if this doesn't cover your request.
Original comment by jrivard
on 14 Jun 2013 at 5:53
Thanks for adding this setting. I've tested this patch, but it only controls
the display of the Idle timeout. Upon Idle timeout the logout URL is still
called.
Original comment by sebastia...@gmail.com
on 14 Jun 2013 at 6:57
Disabling of the logout URL redirect seems fairly simple, because the logout
from Idle is called with param idle=true.
Attached a patch to disable the logout URL call when "Show Idle Timeout to
control=false"
Original comment by sebastia...@gmail.com
on 14 Jun 2013 at 8:42
Attachments:
I've taken a look at r574 and this works a bit better by not calling the
LogOutServlet. However, after the session timeouts on the server side, the User
gets redirected to /pwm/private/Login after clicking on a PWM module.
NAM then still inserts the Basic Auth headers, but the login servlet does not
seems to use them after a redirect from a server side session time out.
Original comment by sebastia...@gmail.com
on 18 Jun 2013 at 1:42
Can't reproduce issue in #9, can you confirm and post logs?
Original comment by jrivard
on 18 Jun 2013 at 9:44
I can't reproduce #9 as well. My guess is that my NAM proxy had hickups.
Original comment by sebastia...@gmail.com
on 2 Jul 2013 at 12:29
Original comment by jrivard
on 26 Jul 2013 at 10:36
Original issue reported on code.google.com by
sebastia...@gmail.com
on 12 Jun 2013 at 12:52