Assume that we have two applications A and B.
- For both the applications, Protection Level is same and SessionGracePeriod is 30 seconds.
- But, the Idle Timeout of application A is 1 hour whereas the Idle Timeout of application B is 5 minutes.
- At 10:00 AM, we are logging into application A and SMSESSION cookie is getting generated.
- At 10:05 AM, we are logging into application B in the same browser, (we are not prompted for credentials and existing session has been used).
- We are not performing any activity till 10:15 AM.
- Now, if we refresh application B at 10.15 AM, it is not prompting for credentials, meaning session is not getting expired (due to Idle Timeout) for application B.
I presume it is because SMSESSION has been created with Application A and the value of ATTR_IDLESESSIONTIMEOUT in SMSESSION will be 1 hour. Please correct me if I am wrong.
- Now, how to overcome this behavior? Do we have any parameter in ACO to control this?
- Also, if the SMSESSION cookie will not be updated with Idle Timeout of Application B, why am I getting the "Generated SMSESSION cookie" in Webagent trace log while launching application B? Has cookie been re-generated using the same values?
- First of all, on launching application B (after the SessionGracePeriod period), will webagent request the webserver to create a new SMSESSION cookie as I could see the Cookie Created time (in chrome browser) is getting updated? If yes, is there any specific reason for creating new cookie instead of updating the value of same/old cookie (in encrypted format)?