CAS timouts

[Ronald Gouldner]

We recently switched back to CAS after using CORE for a few years. We are finding that users are complaining about losing their sessions while being active in the system.    CORE used to keep the user sessions open indefinitely.   Our CAS system is configured to keep the session open for 2 hours rolling based on activity and 8 hours fixed.   So we don't think the issue is on the CAS side.

We are on KC 1709.0022, Rice uh-rice-2.5.3.1709.0004

What settings should we be looking at for CAS timeouts?

Has anything changed from older versions of CAS that perhaps we need to reconfigure or update? For example I notice in our kc-config.xml file that we are using the following ticket validation filter. 

<param name="filter.validation.class">org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</param>

The only parameter I have found so far is the session timeout warning which we aren't even seeing.  "SESSION_TIMEOUT_WARNING_MESSAGE_TIME"

I thought I remembered there was a session parameter which was defaulted to 60minutes but I can't seem to locate it anymore.

[Ronald Gouldner]

I have discovered the cause of this issue but not yet found a solution.  The UH CAS implementation is set to end the "CAS session" on a 2 hour rolling basis.  Since KC only reaches out to CAS once to authenticate the CAS session never rolls and the 2hour timeout closes the TGC cookie.

When this happens our UH CAS is sending a URL request into the service URL that was used to create the TGC cookie and Tomcat is closing the session for that TGC cookie.

I am working with our CAS team to figure out why it makes a call to the service URL when the TGC cookie is closed.  That wasn't expected.  Does anyone know why CAS does this and if this is an option or not?

Does anyone know if tomcat can be configured to not close the session when the TGC cookie expires?   We want to keep the session open until either the 8 hour session timeout occurs or the user clicks on Logout inside the application.   

I found that I could not debug this issue from my local machine because the CAS couldn't reach my machine when it made the TGC cookie expired call to my service URL.  This is because I use hostname on my machine that is only know inside my network.  So CAS couldn't resolve my hostname to reach me. 

This makes me think that perhaps I can use a remoteIPValve or the remote HostValve to block the incoming calls to my server.   The problem with this so far is that I am running behind an F5 BigIP load balancer and I only seem to get the IP of the load balancer and not the remote host.  So not sure how to configure this yet.   I am checking with the F5 admin to see if they are passing the X-Forwarded-For header or not.

Anyway if anyone else out there has any experience with CAS and/or this issue I would appreciate any assistance you can provide.

If/When I resolve this issue I will report back in case others ever encounter.   Not that I can find logs for these collab lists anymore but at least it will be out there somewhere.

Ron