Re: Is logoff feature necessary

[Andrew van der Stock <vanderaj () greebo net>]

I can answer this for a particular product suite: WebSeal and  
WebSphere using LTPA cookies, due to some research I can't directly  
share.

If a WebSeal junction has a 15 minute idle out, and WebSphere a 20  
minute idle out, users cannot re-connect to the WebSphere application  
after 15 minutes, but resources are held open on WebSphere for the  
whole 20 minutes. In general, it's best to have WebSeal use a shorter  
idle timeout than the application server behind it as this leads to  
less confusion for the user and greater security as the application  
server cannot be reached when WebSeal does not allow it.

If WebSeal forcefully logs off your users (say via pdadmin), apps  
hidden behind WebSeal junctions are generally not notified but also  
do not see any further connectivity until a user logs in again. If  
you want to see logout events, I'm moderately certain there is no  
method to notify the WebSphere application except via using a custom  
logout page outside your protected junction ... and by that time you  
will no longer have access to the WebSphere application state, so I'm  
not sure what that would gain you.

An application which is WebSeal aware can log off an individual  
WebSeal session via an API call and reduce the possibility of this  
difference being exploited. This is best practice.

thanks,
Andrew

On 03/05/2006, at 10:45 PM, Keith Duffin wrote:

> What about instances where an identity framework is used, such as CA's
> Siteminder or IBM's Identity Mangament Suite?  Closing the browser  
> will
> result in the session begin invalidated - I'm not sure if that  
> cascades to
> releasing other resources or not.

Attachment: smime.p7s
Description: