CAS5 tgt ticket time out when session is inactive?
1,406 views
Skip to first unread message
Duane Booher
Oct 25, 2017, 2:48:53 PM10/25/17
to CAS Community
Hello I'm running CAS5.0 with all of the tgt session defaults. We are testing we are testing tgt timeout when a tgt session is inactive with no new activity. I was assuming that the default setting of cas.ticket.tgt.timeToKillInSeconds=7200 would kill the session, however it is going beyond 2 hours. Our goal for tgt, is to have the 8 hour forced expire and a 2 hour expire if in active. What am I missing?
Here are the defaults which I am running with:
# cas.ticket.tgt.onlyTrackMostRecentSession=true
# cas.ticket.tgt.maxLength=50
# Set to a negative value to never expire tickets
# cas.ticket.tgt.maxTimeToLiveInSeconds=28800
# cas.ticket.tgt.timeToKillInSeconds=7200
# cas.ticket.tgt.rememberMe.enabled=true
# cas.ticket.tgt.rememberMe.timeToKillInSeconds=28800
# cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800
# cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
# cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5
# cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
Thanks,
Duane
Here are the defaults which I am running with:
# cas.ticket.tgt.onlyTrackMostRecentSession=true
# cas.ticket.tgt.maxLength=50
# Set to a negative value to never expire tickets
# cas.ticket.tgt.maxTimeToLiveInSeconds=28800
# cas.ticket.tgt.timeToKillInSeconds=7200
# cas.ticket.tgt.rememberMe.enabled=true
# cas.ticket.tgt.rememberMe.timeToKillInSeconds=28800
# cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800
# cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
# cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5
# cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
Thanks,
Duane
Ray Bon
Oct 25, 2017, 4:14:55 PM10/25/17
to cas-...@apereo.org
Duane,
By session, do you mean the client application the user is working in or do you mean the SSO session?
The client application is responsible for its own session expiration. CAS only sends a logout to applications if a user chooses to logout (and appropriate configuration is in place).
After 2 hours the SSO session would expire; a user would be presented with the login screen when accessing a different client service.
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Duane Booher
Oct 25, 2017, 4:31:33 PM10/25/17
to CAS Community
Thanks for the response, good point.
What I really mean, for a given SSO session (TGT and a created ST) in a given browser, then a new ST comes in after 2 hours. In this case we would like a new forced CAS login to occur.
For example, here is how I am testing where page-a and page-b are static web pages:
cas/login?service=https://page-a ==> generates TGT + ST
<after 2 hours>
cas/login?service=https://page-b ==> generates ST (but currently w/o any required CAS/Login)
Does this make sense?
Duane
What I really mean, for a given SSO session (TGT and a created ST) in a given browser, then a new ST comes in after 2 hours. In this case we would like a new forced CAS login to occur.
For example, here is how I am testing where page-a and page-b are static web pages:
cas/login?service=https://page-a ==> generates TGT + ST
<after 2 hours>
cas/login?service=https://page-b ==> generates ST (but currently w/o any required CAS/Login)
Does this make sense?
Duane
Duane Booher
Oct 26, 2017, 12:24:46 PM10/26/17
to CAS Community
Just some more information on my investigation. We are running CAS 5.0.5, plus I have tested 5.0.9 with the same results.
For CAS4 we use these parameters work for our authentication timeout controls:
I have also tried most of the other CAS5 tgt parms in my original posting with no impact on the timetokill.
tgt.maxTimeToLiveInSeconds=28800
tgt.timeToKillInSeconds=7200
On CAS5 I've been using these parameters (w/ smaller numbers for test/verification):
cas.ticket.tgt.maxTimeToLiveInSeconds=28800
cas.ticket.tgt.timeToKillInSeconds=7200
maxTimeToLiveInSeconds works
timeToKillInSeconds does not work
Does anyone have any suggestions/work arounds?
Duane
Ray Bon
Oct 26, 2017, 1:10:07 PM10/26/17
to cas-...@apereo.org
Duane,
These are my settings:
# TGT Expiration Policy
#
https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#tgt-expiration-policy
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=7200
# Remember Me
cas.ticket.tgt.rememberMe.enabled=true
cas.ticket.tgt.rememberMe.timeToKillInSeconds=28800
As I understand it, your setting (cas.ticket.tgt.timeToKillInSeconds) will provide a sliding window, adding 2 hours every time the TGC is used up to 8 h. My config above sets a fixed timeout to 2 h unless user checks remember me (setting enable to true
will show a check box on the login page).
Ray
Duane Booher
Oct 26, 2017, 6:56:59 PM10/26/17
to CAS Community
Ray, I now have the behavior that I was hoping by using these settings:
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=7200
cas.ticket.tgt.timeToKillInSeconds=28800
Notice that what you and I are essentially using is opposite what the TGT expire policy doc maxTimeToLiveInSeconds/timeToKillInSeconds specifies. Thus the source of my confusion.
Thank you very much for the help!
Duane
Duane Booher
Oct 27, 2017, 10:51:03 AM10/27/17
to CAS Community
Scratch my last comment. I did want the default behavior of the 2 hour sliding window with a max of 8 hours.
Thanks
sai ram
Jul 17, 2018, 2:51:12 AM7/17/18
to CAS Community
Duane,
I'm using the same config, but the session getting expire within 2 hours of idle Time. Do have any ideas to let stop this?
sai ram
Jul 19, 2018, 8:42:20 AM7/19/18
to CAS Community
what is meant by this property for CAS tgt:
cas.ticket.tgt.onlyTrackMostRecentSession=true
Reply all
Reply to author
Forward
0 new messages