Symantec Access Management

  • 1.  Why is user logged out before max timeout? Why is SM_TIMETOEXPIRE value dropping drastically?

    Posted May 21, 2019 11:22 PM

    We are facing an issue where users are unpredictably getting logged out much sooner than the max timeout while being active. For example, a user will login at 8:00am and even though the max timeout is set to 10 hours and the user is active, the user sometimes gets logged out at a time which is less than 10 hours (i.e 10:13am, 2:46pm etc.). While investigating our logs, we noticed that the SM_TIMETOEXPIRE value in the request header is much lower than it should be.

     

     

    We are not able to determine what is causing this to occur, however there is one way we were able to reproduce the issue. Let's say there are two applications that use the same Siteminder SSO. In Chrome, I open application #1 and am directed to the Siteminder SSO login. In another tab, I open application #2 and am directed to the Siteminder SSO login. On application #1, I login and in the logs I can see that the SM_TIMETOEXPIRE value is 10 hours as expected. Then I go back to the other tab where I'm at the login screen for application #2 and I login again with the same credentials (yes I know this defeats the purpose of SSO) and when I check the logs, I notice that the SM_SERVERSESSIONID in the request header is different for both logins and that one of the SM_TIMETOEXPIRE values is in tact and the other is drastically smaller (i.e. less than 120 seconds). Note: Users have experienced the premature logout without doing the above scenario where a user logs in twice in the same browser.

     

    1) Are there any scenarios in which the user (who is active) is logged out earlier than the max timeout?

    2) Are there any scenarios that would cause the SM_TIMETOEXPIRE max timeout value to drop drastically?

    3) Is it possible for a user to login with the same credentials twice and be given two different session IDs? If so, does siteminder invalidate one of the sessions by drastically reducing the SM_TIMETOEXPIRE value on one of the sessions?

    4) Any theories one what may be causing users to get prematurely logged out or to cause the SM_TIMETOEXPIRE value to drop drastically?



  • 2.  Re: Why is user logged out before max timeout? Why is SM_TIMETOEXPIRE value dropping drastically?
    Best Answer

    Broadcom Employee
    Posted May 23, 2019 01:21 PM

    Hi Viren, 

     

    I've not personally heard  of an issue like this before, seems pretty unusual.

     

    1) Are there any scenarios in which the user (who is active) is logged out earlier than the max timeout?

    >> Logged out vs having their remaining time reduced are different things. Logged out could happen if the session was logged out on another tab. Time remaining being reduced would be more if they moved to another realm with a shorter timeout. Or if they were idle longer than they realized.

     

    2) Are there any scenarios that would cause the SM_TIMETOEXPIRE max timeout value to drop drastically?

    >> I can only think of where the time had actually passed. Perhaps in another tab using the same session and it has synched with the older session.

     

    3) Is it possible for a user to login with the same credentials twice and be given two different session IDs? If so, does siteminder invalidate one of the sessions by drastically reducing the SM_TIMETOEXPIRE value on one of the sessions?

    >> Yes, for example if you use two different browser types, there is no session sharing so they end up with unique values. If you use two tabs, since you have both login forms already loaded, on the initial login the serversessionid will be different. But as soon as you refresh the tabs, the serversessionid, serversessionspec,  SMSESSION cookie, etc should synch up.

     

    4) Any theories one what may be causing users to get prematurely logged out or to cause the SM_TIMETOEXPIRE value to drop drastically?

    >> Very hard to tell without data. Maybe an old cookie is being replayed from cache, hence the sudden drop in time or it is even expired already causing the logout. Or as I said, there are different realm timeouts in play, but no EnforceRealmTimeouts set in ACO. 

     

    If this is a serious or widespread issue, you may want to consider opening a Support case to get assistance.

     

    Thanks!



  • 3.  RE: Re: Why is user logged out before max timeout? Why is SM_TIMETOEXPIRE value dropping drastically?

    Posted Mar 18, 2021 04:20 AM
    Hi,

    We are still dealing with sm_timetoexpire and I would have a few questions.
    We have a frontend application which is protected by SiteMinder but we would like to display a timer on our UI which tells how much time the user has from the active session or from the idle-one before he will be forced to authenticate himself again. To achieve this I have a few question:

    1. I would like to know the how to interpret the value of sm_timetoexpire. Is it in seconds or milliseconds?
    2. Can we get back the idleTimeout value as well in an HTTP header or is there any other variable what we could use?
    3. If timeout occurs (idle or session) is there any way how SiteMinder can be configured to behave? As far as I know the default behavior is applying HTTP 302-redirect to the login page. Can we configure Siteminder to behave differently, like returning with HTTP 401 until there is no valid session again?

    Thank you for your help!

    Regards,
    Viktor