For a siteminder protected application in our infra, users are getting logged out after 1 hour even though they active.
MaxIdleTimeOut = 1hr
Has anybody faced this issue or any idea about it?
That should be the expected behavior with Max Idle Timeout setting. Please refer the below document link for further details.
Realm Dialog Reference - CA Single Sign-On - 12.7 - CA Technologies Documentation
Maximum TimeoutIf enabled, determines the maximum amount of time a user session can be active before the Agent challenges the user to re-authenticate.
This setting is enabled by default. To specify no maximum session length, clear the checkbox. The default maximum session length is two hours.
MinutesSpecifies the minutes value for the maximum session length.To use this feature with the Basic authentication scheme, your Web Agent must be configured to Require Cookies.
Idle TimeoutIf enabled, determines the amount of time that an authorized user session can remain inactive before the Agent terminates the session. If you are concerned about users leaving their workstations after accessing a protected resource, set the idle timeout to a shorter period of time. If the session times out, users must re-authenticate before accessing the resources in the realm.This setting is enabled by default. To specify no session idle timeout, clear the checkbox.The default session idle timeout is one hour.
Default: 60 seconds.For example, if the you set the idle timeout at 10 minutes, and you use the default value of the MaintenancePeriod registry setting, the longest time period before a session will timeout due to inactivity is 11 minutes (specified timeout + maintenance period).To use this feature with the Basic authentication scheme, your Web Agent must be configured to Require Cookies.
Note: Be aware of the following:
Thanks Ashok for the reply.
However if a user is active then he shouldn't be logged out after idle timeout, isn't it?
Can you please share fiddler? We would need to check if the SMSESSION cookie is being updated everytime user refreshes/access new page.
Sent from my iPhone
I will surely try to share it.
however, what exactly we should try looking into smsession cookie?
The cookie value needs to change everytime the page is refereshed or the user visits different page.
This is required to keep track of the "ATTR_LASTSESSIONTIME" which is embedded within the SMSESSION cookie.
This is needed to enforce idle/max time out related restrictions by web agent.
More on SMSESSION cookie : Tech Tip : CA Single Sign-On ::What information is stored in the SMSESSION Cookie
Ujwol, you were spot on.
value of smsession cookie is not changing and i checked in Session Cookie Management - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation to see if any ACO parameter is stopping the smsession cookie update, but that is not the case.
So, smsession is getting logged off despite being active
Specifies the number of seconds the agent waits from the last accessed time of the received session cookie before it generates a new session cookie. Set the SessionGracePeriod to 0 to disable the setting. If the setting is disabled, the agent updates session cookies for every request instead of skipping updates.
Note: The specified session grace period must be at least half of the configured idle timeout. If the session grace period is less than half of the idle timeout, the agent generates a new session cookie according to the following formula:
IdleTimeout - (SessionGracePeriod * 2)
For example, if your session grace period is 25 minutes and the idle timeout is 60 minutes, the agent regenerates a session cookie after 10 minutes (because 60-(25*2)=10).
You can specify how often the Web Agent redirects a request to the Cookie Provider to set a new cookie using the SessionUpdatePeriod parameter.
This parameter specifies how often (in seconds) a Web Agent redirects a request to the Cookie Provider to set a new cookie. Refreshing the master cookie decreases the possibility that it will expire due to an idle time-out of the session. The default is 60 seconds.
Look into above two settings.
thanks for quick response, I see SessionGracePeriod=30 and SessionUpdatePeriod=60 in our ACO.
Are both the SessionGracePeriod and SessionUpdatePeriod in seconds?
Yes they are in seconds. Can u check ur web agent trace logs if it says “Generated SMSESSION cookie”?
If it says that, it means web agent is creating cookie.
If it’s still doesn’t refresh on browser then the could be cached at webserver. What is your webserver? If IIS, try disabling Output ans User cache.
I am facing similar issue, any suggestions?... My configuration for Session in ACO is as below:
even the session is "Generated SMSESSION cookie." still the agent says "User 'cn=test4john,ou=people,ou=internet,o=teds' is not authorized by Policy Server.]" and the reason is as below from SMPS logs
AzReject xtvlap1138 [19/Dec/2018:08:28:06 -0800] "10.61.186.49 " "test4-web-tfs GET /myaccounts/w/js/app/views/statement_view.js" [0000000000000000000000008ed43d0a-39bf-5c1a7196-90fa7700-6cc02c94d157]  Session has expired  
Although the idle timeout is 16 mins and max is 2 hrs and none of them has been exhausted, this happens just between 4-5 mins of inactivity
SM SESSION cookie are generated as per logs and not reaching server.We are using IIS. Please suggest what are the options to resolve the issue as application times out after 30 mins even if user is active.
It will be very difficult to troubleshoot these kind of issues on the communities without sufficient information. I would suggest to open a support ticket with necessary logs to investigate and troubleshoot it further.
Retrieving data ...