No option to disable idle timeout

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Go the Configuration Manager -> Settings -> General
2. Set the Idle Timeout Seconds to 0

What is the expected output? What do you see instead?
I would expect that the Idle Timeout functionality would be disabled. Instead 
upon login, my session is directly invalidated by the Idle Timeout of 0 seconds.

What version of PWM are you using?
latest build

Rationale
I'm not sure whether this is "working-as-designed" or a bug. The reason I need 
to disable the Idle Timeout, is because my PWM install is behind NAM and I 
would like NAM to determine the session timeout, not PWM by itself. Currently 
PWM calls the AGlogout page upon the idle timeout (configured the NAM logout 
URL inside PWM), which results in a single logout for all applications. 
Therefore it would be nice if the Idle timeout of PWM could be disabled, while 
maintaining the Logout URL of the NAM AG inside PWM.

Original issue reported on code.google.com by sebastia...@gmail.com on 12 Jun 2013 at 12:52

[GoogleCodeExporter]

What about setting the idle timeout in PWM to the same value as NAM is using?

Original comment by jrivard on 12 Jun 2013 at 3:49

• Changed state: NeedInfo

[GoogleCodeExporter]

Thanks for your suggestion, but unfortunately that won't fix my issue. A use 
case to explain my business requirement:

User X gets to work on 9.00am and logs in to AM to do something in PWM. He 
opens a couple of tabs in his browser to open application A, B and C which are 
also protected by NAM. User X continues to work in application A,B and C during 
the day, but not in the PWM application. 

With the current behaviour PWM will logout the user from NAM, because of the 
idle timeout. If I make the PWM idle timeout the same as the NAM timeout it's 
not going to make any difference, because the idle time of NAM will get updated 
by accessing application A,B and C, but not the idle time of PWM. This 
eventually leads to NAM extending the session time, but PWM will logout the 
user anyway, because the user is idle within the PWM application.

Therefore my only option is to disable the idle timeout of PWM and let NAM take 
care of the session timeout as PWM is a protected resource behind NAM.

Original comment by sebastia...@gmail.com on 12 Jun 2013 at 6:23

[GoogleCodeExporter]

This seems like an uncommon use case.  Users don't typically go to PWM unless 
they are forced to because they need to make a security change, neither of 
which is common, and neither of which is good idea with having multiple 
windows/tabs open when making credential changes.  

Nevertheless, how about changing the PWM logout url to something that doesn't 
invoke a NAM logout, such as your main portal page?

Original comment by jrivard on 13 Jun 2013 at 6:12

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Thanks both for your feedback. Ideally the solution that Jared describes is the 
best fix. Changing the PWM logout URL is not going to work well in my 
situation, because we do want to logout from NAM when a user presses the logout 
button. This is because we are implementing single logout from each application 
behind NAM.

So the there actually 2 options to get this fixed:

- PWM internally times the session out upon a idle timeout, but not calling the 
logout URL
- Implement a seperate logout URL configuration option independent of the 
logout URL that is connected to the logout button

Original comment by sebastia...@gmail.com on 14 Jun 2013 at 5:48

[GoogleCodeExporter]

Added option in Settings -> User Interface -> Show Idle Timeout to control the 
display and redirect action of the idle timeout setting.  Changes are in svn 
revision 573.  Please re-open this issue if this doesn't cover your request.

Original comment by jrivard on 14 Jun 2013 at 5:53

• Changed state: Fixed
• Added labels: Type-Enhancement
• Removed labels: Type-Help

[GoogleCodeExporter]

Thanks for adding this setting. I've tested this patch, but it only controls 
the display of the Idle timeout. Upon Idle timeout the logout URL is still 
called.

Original comment by sebastia...@gmail.com on 14 Jun 2013 at 6:57

[GoogleCodeExporter]

Disabling of the logout URL redirect seems fairly simple, because the logout 
from Idle is called with param idle=true.

Attached a patch to disable the logout URL call when "Show Idle Timeout to 
control=false"

Original comment by sebastia...@gmail.com on 14 Jun 2013 at 8:42

Attachments:

• pwm-issue-404.diff

[GoogleCodeExporter]

I've taken a look at r574 and this works a bit better by not calling the 
LogOutServlet. However, after the session timeouts on the server side, the User 
gets redirected to /pwm/private/Login after clicking on a PWM module.

NAM then still inserts the Basic Auth headers, but the login servlet does not 
seems to use them after a redirect from a server side session time out.

Original comment by sebastia...@gmail.com on 18 Jun 2013 at 1:42

[GoogleCodeExporter]

Can't reproduce issue in #9, can you confirm and post logs?

Original comment by jrivard on 18 Jun 2013 at 9:44

• Changed state: Accepted

[GoogleCodeExporter]

I can't reproduce #9 as well. My guess is that my NAM proxy had hickups.

Original comment by sebastia...@gmail.com on 2 Jul 2013 at 12:29

[GoogleCodeExporter]

Original comment by jrivard on 26 Jul 2013 at 10:36

• Changed state: Fixed