Hi, Indeed, there is a fine tuning to "synchronize" the web session and SSO session.
I would recommend to increase the idle timeout of the CAS server to something greater than the web session, like one hour. This way, you would reduce the likelihood to expire the CAS session while still maintaining the web session. This is the easiest solution. For a zero-risk solution and a real "synchronization" between both sessions, the best option is to artificially extend the SSO session by HTTP calls from the web application (example given here: https://www.casinthecloud.com/docs/tech/configuration.html). Thanks. Best regards, Jérôme LELEU Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org 2015-01-01 20:58 GMT+01:00 Daniel <d.mcfe...@gmail.com>: > I have a requirement for a java web application I am writing that users > can have one active session. The session should not be idle for more than > 30 minutes and the maximum life time of a single session is 8 hours. > > To accomplish this, the maximum time a ticket granting ticket is valid is > set to 8 hours and the idle session time out is set to 30 minutes in CAS. > In the web xml of the application, the session config has a timeout set to > 20 minutes. To limit a users session, I am using Spring Security's session > management concurrency control in the web application. The max-sessions > property is set to 1 and the error-if-maximum-exceeded is set to true. > > The issue I am seeing is that if a user remains active within the web > application for more than 1 hour, the session seems to be expired in CAS by > ticket registry cleaner, causing the user to re-authenticate. This would > seem to make sense given that the user is active and the web application > would not try to request a new service ticket since a max-age is not set on > application session. Setting a max-age on the application session causes > issues because after the session expires, the application creates a new > session and the Spring Security session management concurrency control > blocks the users access because it is detecting more than one active > session for the user. > > What properties should I set or what configuration is recommended that > will limit users to a single active session, expire sessions that are idle > for 30 minutes, and allow for a maximum lifetime for a single session of 8 > hours? > > Thank you, > > Daniel > > -- > You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
