Thursday, June 4, 2009

Sun Access Manager : Session Timeout

I'm still in Bangkok today with the same local Thai bank. Today, we were discussing about Session Timeout with Sun Java System Access Manager 7.1 SP1.  (FYI, AM 8.x is now known as Sun OpenSSO Enterprise. OpenSSO is free; OpenSSO Enterprise is commercial licensed)

The customer is asking why an authenticated user is getting Session Timeout error. 

For example, the user has logon to the Access Manager and been idle for more than a few minutes. When he comes back and tries to continue with what he previously left with, he gets the "Your session has timed out" error message.



Well, I point them to the above diagram which I find very useful. (If you need to know more about Session Service, you can read from here)

If you analyze the state diagram carefully, you'll realize that an Idle Time-Out session will go into Expired Session state. In this state, the session has not been destroyed yet, unless the purge delay time elapses. 

Therefore, in the Session table, you'll find a session with SSO token event type  "SSO_TOKEN_IDLE_TIMEOUT". This explains why the error message "Your session has timed out" appears.

The next question is how do we avoid getting this Session timeout error.

Well, the explanation is here.

Edit the AMConfig.properties file.
Change the value 
com.iplanet.am.session.purgedelay=60
to 
com.iplanet.am.session.purgedelay=0

Restart your AM server.

The customer then asks why an unauthenticated user is also getting Session Timeout error. 

For example, the user has been on the Access Manager login screen and been idle for more than a few minutes. When he comes back and try to logon, he gets the "Your session has timed out" error message.

Well, this took me quite a while to answer. The detail is hidden here.  

Basically, you need to do a few things:
1. Know which authentication module is utilized
2. Search for the appropriate XML file in [webapp-path]/SUNWam/web-src/services/config/auth/default. (In our case, LDAP.xml)
3. Set value to 0 for every occurrence of the attribute timeout
4. Restart AM server

No comments:

Post a Comment