Saturday, September 15, 2007

Complexity of Session Timeout



One of our application team was using the centralized access control product for securing the access to the application. Users of the application team started reporting the timeout issue from the application after some time. We thought that increasing the ideal/session timeout settings should solve this problem. We increased both the values to hours just for testing that if those settings are the culprit. But making that change has not changed the situation. Our next suspect was the application code so we asked the application team to check if code is doing any session timeout after some time. They also confirmed back that is also not the case. We approached the application deployment team and requested them to make the change in the session timeout parameter from the application server. As soon as they changed the session timeout value to unlimited problem was resolved.



My question to myself was how can that application server parameter be responsible for timeout and redirect the user to login page? I read the servlet specification (version 2.3) for this issue and here is what I feel should be happening in this case.



1) User accesses the application page for the first time.



2) Since access control product is used to protect the application user is redirected to the access control login page.



3) User authenticates successfully and redirected to the application.



4) Access control product agent is using the session variable (JSESSIONID) as a key to cache the user details like session expiry, ideal time out etc.



5) User access the application again. This time JSESSIONID is passed from the browser as a cookie to the application/web server. This JSESSIONID is used as a key to look for session information in the access control product agent cache.



6) After the JSESSIONID expiry at the application server, new JSESSIONID is generated and the cookie value is overwritten.



7) User accesses the page again but this time new JSESSIONID value is passed to the application/web server. This new value is again compared in the cache. It will not be found in the cache. Agent will treat this request for a new user and redirects the user to login page.



What value for the session expiry should be set:



For ideal condition JSESSIONID value should be set as the same value for the session timeout from the access control product. If the access control product has session expiry as 1 hour and ideal time out as 30 minutes then application server session expiry should be set to 1 hour.








Technorati :


No comments: