increasing ST time-to-kill

[Dave Steiner]

Generally we run are CAS/Hazelcast servers with the default value for cas.ticket.st.time-to-kill-in-seconds (is that 5 seconds, can't seem to find the default).  But several times a year the students go through web registration and we get several thousand users logging in at once.  This tends to cause issues and one of the things I wanted to try is increasing the time that STs are valid so that users aren't timing out and just adding to the problem.

So this morning we increased it to 30 seconds and things went much smoother.  Logins still took some time but I didn't see anyone having timeout or any other kind of issues.

So I need the setting to be 30 seconds or so during these registration periods but don't want to have to keep changing them back and forth.  Does anyone know of any concerns of leaving this at 30 seconds?  The CAS Protocol docs mentions under 5 minutes so I think we're good but we just want to make sure we're not missing something.

thanks,

ds

Dave Steiner

Rutgers University, IdM Architect

[Ray Bon]

Dave,

The timeout (defaut 10s https://apereo.github.io/cas/6.6.x/ticketing/Configuring-Ticket-Expiration-Policy.html#service-ticket-policies) is a trade off between user experience and security.

Ray

On Tue, 2022-11-08 at 12:32 -0800, Dave Steiner wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.