How to set absolute session timeout in websphere liberty profile? - websphere-liberty

I need to set absolute session timeout (timeout the session regardless the user is active or not) in websphere liberty profile server for an application?
How do I do that ? I know inactivity timeout setting. But it is not the requirement, absolute timeout is the requirement.

Either you JAAS enable your application, activate the Lightweight Third Party Authentication (LTPA) and set the absolute time, regardless activity.
The default expiration time is 2 hours and is an absolute time, not based on user activities. After the 2 hours, the token expires and the user must log in again to access the resource. Liberty: Authentication
or
Just set the global session timeout in liberty to x seconds (which is for inactivity), and in your web application for each communication front it with a filter or something similar that checks the session getCreationTime and invalidate it if it exceeds x seconds. Also some good guide and reading here
In this case you will have session invalidity for both inactive and active users.

Related

Do a HTTP get request makes an Idle Session ACTIVE?

Environment Spring Boot, Spring Session, Spring Security
Hi, I ma implementing session timeout in my spring boot application using the server.servlet.session.timeout=60 . Which means session must timeout after 1 minute of inactivity. Which is not happening. One of the causes would be that my application sends a HTTP GET request (/getCustomerCount() )every 1 second from the webpage (javascript scheduled).
Question : Does HTTP get request converts an IDLE session to be an active session which prevents the sessions to timeout.
If so, then how shall I timeout my application. I want the session idle/active logic to ignore the every second request /getCustomerCount(). Adn if user doesn't perform any task (other than per second request) then consider the session as IDLE and time it out after 60 seconds.
Is there any way in Spring Session, that session manager ignores a particular request while marking a session active and idle ?

Reset session timeout in Websphere by Keypress / Mouse events

I have set the session timeout in my WebSphere as 3 Mins (Consider.Actual timeout I have set is 30 mins).I have kept my application open and just moving my mouse over the J2EE application and making some keypress which will not submit any pages.Even after 3 mins, the session of the application is retained.I need to confirm how the session is retained when some mouse move / keypress happens ? No request is being sent to server or no page submissions has been done.
The session timeout for my application is maintained only in server.
Thanks.
This sounds like it's due to WebSphere's use of the LTPA token for authentication. In summary:
When the web session expires a users credentials are not expired (you
are not forced to re-login). This is due to the WebSphere
implementation of LTPA tokens and more info on this is covered in the
IBM documentation.
When the LTPA token expires the users credentials
are expired (you are forced to re-login).
The web session timeout is
relative to user activity. That is, it resets to 0 when user activity
is detected.
LTPA token timeout is not related to user activity. It
will timeout after the amount of time from creation date no matter
what user activity is going on.
From http://www-01.ibm.com/support/docview.wss?uid=swg21078845:
Question 3
I want to force my users to re-login after a set "inactivity timeout" period. How is WebSphere Application Server supposed to work with regard to session timeouts and LTPA timeout.
Answer 3
See the answer to this question in item 9 of the following developerworks article:
http://www.ibm.com/developerworks/websphere/techjournal/1003_botzum/1003_botzum.html
From that link you learn:
9- I want to force my users to login again after a set "inactivity timeout" period. How is WebSphere Application Server supposed to work with regard to session timeouts and LTPA timeouts?
The WebSphere Application Server LTPA token expires based on the lifetime of the login session, not based upon inactivity. Thus, the WebSphere Application Server login session will not expire if the user performs no action for some period of time. However, the HTTPSession does expire based upon inactivity. If in your application you need to expire the use of an application based on idleness, you must explicitly code this in your application. You can capture when a user arrives with an expired session (really, a new session) and force them to login again if you think this is necessary. Keep in mind that doing this undermines Single Sign On across applications.
A second approach that is a slight variation on the first is to use HTTPSession.getLastAccessTime() to compute when the last client request occurred. If the time is too far into the past, you can of course fail the access and force a new authentication.
Either of these approaches can be made transparent to the application code through the use of servlet filters.
It should be noted that IBM TivoliĀ® Access Manager provides for lifetime- and idle-based authentication session timeouts.
Users often ask why WebSphere Application Server works this way. Why can't it timeout idle login sessions? The reason is because WebSphere Application Server is fundamentally a loosely coupled distributed system. Application servers that participate in an SSO domain don't need to talk to each other. They don't even have to be in the same cell. So, if you want to limit the idleness lifetime of an LTPA token (aka SSO token), you'd have to update the token itself with a last usage time on every request (or perhaps on the first request seen during a one minute interval). This means that the token itself would change frequently (meaning the browser would be accepting new cookies frequently) and that WebSphere Application Server would have to decrypt and verify the inbound token when it is seen to validate it. That could be expensive (WebSphere Application Server today only validates a token on the first use at each application server). It's not impossible to solve these problems with clever caching and such, but that's not how WebSphere Application Server works today.

Lost connection with HTTPS

I'm writing a web client that needs to deal with lost connection.
If you are connected to a server using HTTPS and Internet connection drops, will the server lose the session information?
Once Internet connection is restored, does the client need to re-login to the server or does it depend on the server?
Usually the server determines how long a session lives (by defining a session timeout) and how a session (if at all) is persisted between single requests. The server sends a cookie with the session information (a session key) back to the client, so when the client sends the next request including the session cookie, the server knows which session to use.
Having said is - there is no information between two requests, whether the internet connection was lost in the meantime. As long as the server still has the session and the client still has the corresponding cookie, everything should work as expected.
On the other hand, even if there was no interrupt in the connection at all and both server and client were up and running, but without talking to each other (i.e. without requests), the session might be lost because of a simple timeout on the server side.
So on the server you might receive requests for resources that are secured or need a certain session state - and there is no such session. And on the client side you always might receive responses that indicate that a login is necessary.
Both cases must be implemented properly.
The HTTP protocol itself is stateless i.e. each request is served as is without any relation to previous of future requests.
To overcome this you can use client Cookies. Your cookie can keep a session state identifier which can be sent back to the server after a connection drop to resume the previous state.
In addition to that you can build a session management module which handles session persistence.
first it depends on the type of session you are talking:
ssl session
This can cause an shortend renegotiation. If the Server support it.
That mean it save CPU time.
http sessions
here it does not only depend on the server but also on your web page code.
For example if the session drop's while delivering the page conntent.
The servlet receive an connection reset during flush and may invalidate the session.
Also id depends if the session is bound to the ip adress. Than it depends if the
new connection use the same ip adress.
There is no simple answer as you maybe expected. Since it depends on to many points.
As the others already stated you can "persist" a connection by using a SessionID, which is recommended to be stored in a cookie. Most of the modern Environments like PHP and ASP.NET use this mechanism which can deal with lost connections.
Please refer to https://www.owasp.org/index.php/Session_Management_Cheat_Sheet for security considerations for implementing a secure Session Management.
Additionally what you can do with SSL is to build the Session Management using client certificates. The user is identified by the unique certificate which is issued to him. This has the advantages that the client does not have to login first. On the other hand you have to issue a client cert to every client, which might be complex.
Use cookies to store the session information, once connection is lost you can easily get the information from the cookies. call the cookies using condition i.e. if session lost call for the cookie. use Php to store information in the session and call the cookie

Increase session timeout on .net mvc 3

I've added this inside the system.web node of my web.config
<sessionState mode="InProc" timeout="600" />
but my sessions are timing out within 30 minutes.
is there something else I need to do to increase my session timeout length?
There is a forms authentication node in my web.config as well but I'm not using any authentication on the web site. The forms authentication has a timeout value of 2880...but again, I'm not doing any authentication at all...
but my sessions are timing out within 30 minutes.
I suspect it's IIS which is recycling the application pool after a certain time of inactivity. And since your sessions are stored in-memory their contents is wiped out of existence when the web server tears down the application domain.
Look at the properties of the application pool of your application in IIS. You will see that there are settings allowing to configure this. There are also conditions such as memory or CPU threshold limits when IIS might recycle your application pool. If you want durable sessions you need to make them out-of-proc (session state server or SQL).

Sticky Sessions and Session Replication

I am evaluating the case of using sticky sessions with Session replication in tomcat. From my initial evaluation, I thought that if we enable Session replication, then session started in one tomcat node will be copied to all other tomcat nodes and thus we do not need sticky session to continue sessions and the request can be picked up by any node.
But it seems that session replication is in general used with sticky sessions, otherwise the session id needs to be changed whenever the request goes to some other node. ref: http://tomcat.apache.org/tomcat-6.0-doc/cluster-howto.html#Bind_session_after_crash_to_failover_node
Can anyone explain what is the real use of session replication if you have to enable sticky session? Because then you would be unnecessarily copying the session on each node, when the request with a given session id is always going to the same node. It could be beneficial in case of a node crashing, but then that does not happen frequently and using session replication only for that seems like an overkill.
As Mindas explained it before :
When you use loadbalancing it means you have several instances of tomcat and you need to divide loads.
If you're using session replication without sticky session : Imagine you have only one user using your web app, and you have 3
tomcat instances. This user sends several requests to your app, then
the loadbalancer will send some of these requests to the first tomcat
instance, and send some other of these requests to the secondth
instance, and other to the third.
If you're using sticky session without replication : Imagine you have only one user using your web app, and you have 3 tomcat
instances. This user sends several requests to your app, then the
loadbalancer will send the first user request to one of the three
tomcat instances, and all the other requests that are sent by this
user during his session will be sent to the same tomcat instance.
During these requests, if you shutdown or restart this tomcat
instance (tomcat instance which is used) the loadbalancer sends the
remaining requests to one other tomcat instance that is still
running, BUT as you don't use session replication, the instance
tomcat which receives the remaining requests doesn't have a copy of
the user session then for this tomcat the user begin a session : the
user loose his session and is disconnected from the web app although
the web app is still running.
If you're using sticky session WITH session replication : Imagine you have only one user using your web app, and you have 3 tomcat
instances. This user sends several requests to your app, then the
loadbalancer will send the first user request to one of the three
tomcat instances, and all the other requests that are sent by this
user during his session will be sent to the same tomcat instance.
During these requests, if you shutdown or restart this tomcat
instance (tomcat instance which is used) the loadbalancer sends the
remaining requests to one other tomcat instance that is still
running, as you use session replication, the instance tomcat which
receives the remaining requests has a copy of the user session then
the user keeps on his session : the user continue to browse your web
app without being disconnected, the shutdown of the tomcat instance
doesn't impact the user navigation.
I think the only real benefit is to be able to shut down Tomcat instances without much thinking. Especially this applies today in cloud world (think Amazon AWS spot instances) when nodes can go on and off really often. Alternative to this would be to buy a decent load balancer which supports node draining. But decent load balancers are expensive, and draining takes time.
Another scenario I can think of is a (poor implementation of) shopping cart where items are kept in the HttpSession and shutting down would require the user to re-purchase them (which would likely lead to a lost sale).
But in most cases you're right - benefit of having both sticky sessions and session replication is very negligible.
Just to clarify configuration issues on JBoss 5.X in "all" base configuration with mod_jk. Setting sticky sessions in workers.properties file
worker.list=loadbalancer
... nodes configuration omitted
worker.loadbalancer.balance_workers=node1,node2
worker.loadbalancer.sticky_session=True
does not prevent session replication. In order to switch off session replication on JBoss we need to set in $JBOSS_HOME\server\YOUR_NODE_NAME\deploy\cluster\jboss-cache-manager.sar\META-INF\jboss-cache-manager-jboss-beans.xml cacheMode parameter to LOCAL.
Usually in sticky session scenario we don't want session replication, since we do not want additional overhead connected with significant amount of I/O operations needed to replicate sessions.
In fact, if go with sticky sessions, we do not need to run JBoss in "all" configuration, we might use "default" or "standard" based configuration.
The only thing that has to be done is change in $JBOSS_HOME/server/YOUR_NODE_NAME/deploy/jbossweb.sar/server.xml:
<Engine name="jboss.web" defaultHost="localhost" jvmRoute="YOUR_NODE_NAME">

Resources