Hi Ujwol,
Thanks for your confirmation regarding ATTR_LASTSESSIONTIME. Did some analysis and I guess I figured out the answer for my previous query.
1) ATTR_IDLESESSIONTIMEOUT of SMSESSION cookie will always be updated with Idle timeout of the last accessed realm. There are two cases here.
- If there is no WebAgent-OnAuthAccept-Session-Idle-Timeout response, Session timeout in Realm section will be used.
- If there is WebAgent-OnAuthAccept-Session-Idle-Timeout response, corresponding Idle Timeout value will be used.
2) Idle Timeout details of the realm will also be stored in webagent cache (not sure if Agent Resource Cache or Agent Session Cache will be used)
Now, whenever the user hit any URL,
- While creating a session ATTR_IDLESESSIONTIMEOUT of SMSESSION cookie will be checked, if the difference between ATTR_LASTSESSIONTIME and the current time is greater than ATTR_IDLESESSIONTIMEOUT, session will not be created and we will get following line in the logs.
<<
SMSESSION cookie has expired and will not be used to authenticate.
Unable to process SMSESSION cookie
>>
- In case, if the session is not expired, webagent will successfully decode the SMSESSION cookie. It will check if the resource is protected. After that while validating the session using the 'Session ID' in the corresponding zone, webagent will verify if idle timeout of this session(ATTR_LASTSESSIONTIME - current time) is greater than idle timeout of the corresponding realm (from the cache). If the session has already timed out, we will get following line in the logs.
<<
realm has timeeout, session expired. Check next valid session
>>
Please confirm if my understanding is correct. I will definitely close this thread after your confirmation
Thanks,
Dhilip