WebApp Sec mailing list archives
Re: Is logoff feature necessary
From: Andrew van der Stock <vanderaj () greebo net>
Date: Wed, 3 May 2006 23:30:57 +1000
I can answer this for a particular product suite: WebSeal and WebSphere using LTPA cookies, due to some research I can't directly share.
If a WebSeal junction has a 15 minute idle out, and WebSphere a 20 minute idle out, users cannot re-connect to the WebSphere application after 15 minutes, but resources are held open on WebSphere for the whole 20 minutes. In general, it's best to have WebSeal use a shorter idle timeout than the application server behind it as this leads to less confusion for the user and greater security as the application server cannot be reached when WebSeal does not allow it.
If WebSeal forcefully logs off your users (say via pdadmin), apps hidden behind WebSeal junctions are generally not notified but also do not see any further connectivity until a user logs in again. If you want to see logout events, I'm moderately certain there is no method to notify the WebSphere application except via using a custom logout page outside your protected junction ... and by that time you will no longer have access to the WebSphere application state, so I'm not sure what that would gain you.
An application which is WebSeal aware can log off an individual WebSeal session via an API call and reduce the possibility of this difference being exploited. This is best practice.
thanks, Andrew On 03/05/2006, at 10:45 PM, Keith Duffin wrote:
What about instances where an identity framework is used, such as CA'sSiteminder or IBM's Identity Mangament Suite? Closing the browser will result in the session begin invalidated - I'm not sure if that cascades toreleasing other resources or not.
Attachment:
smime.p7s
Description:
Current thread:
- Re: Is logoff feature necessary, (continued)
- Re: Is logoff feature necessary Peter Conrad (May 03)
- Re: Is logoff feature necessary Luciano Miguel Ferreira Rocha (May 03)
- Re: Is logoff feature necessary ViersOnline (May 03)
- RE: Is logoff feature necessary Deepu Thomas Philip (May 03)
- Re: Is logoff feature necessary Michael Silk (May 03)
- Re: Is logoff feature necessary Dave Ferguson (May 03)
- RE: Is logoff feature necessary Rod Divilbiss (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- Administrivia: Is logoff feature necessary Andrew van der Stock (May 03)
- RE: Is logoff feature necessary Keith Duffin (May 03)
- Re: Is logoff feature necessary Andrew van der Stock (May 03)
- RE: Is logoff feature necessary Auri Rahimzadeh (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary M. Burnett (May 03)
- Re: Is logoff feature necessary Robert Hajime Lanning (May 03)
- Re: Is logoff feature necessary Alexander Bolante (May 03)
- Re: Is logoff feature necessary Alexis FitzGerald (May 03)
- RE: Is logoff feature necessary wa0qmj (May 03)
- RE: Is logoff feature necessary André Gil (May 03)
- RE: Is logoff feature necessary Steven Rebello (May 03)
- RE: Is logoff feature necessary King, Stuart (REHQ-LON) (May 03)
- RE: Is logoff feature necessary Jeff Robertson (May 03)