Hi,

In our environment, i have configured below:

[session]

timeout = 3600

inactive-timeout = 600

If there is inactivity in the user's browser, the user session is terminated after 10min orelse the session TTL is 1 hour.

I am working on a new requirement where for certain endpoints the session should not be terminated after the inactive-timeout. (Ajax script running in the background of a client browser polls this resource.)

I played around with below 2 properties available in ISAM 9.0.5 ReverseProxy but i am not able to achieve the desired outcome:

preserve-inactivity-timeout-match-uri = true

preserve-inactivity-timeout = /demo/*

After the inactive-timeout when i try to access the resource behind /demo junction i am asked to re-authenticate.

Any idea on how to retain the session after inactivity-timeout ?

Regards.

Hi,

The setting you are using, preserve-inactivity-timeout, does not work the way that you think it does. This setting tells WebSEAL that requests matching to this pattern should NOT keep a session from staying active. It preserves the inactivity counter, as if the user is not making requests. The intention of this setting is if you have an Ajax script that is polling a resource every 5 min that it would still have the session timeout if the user does not access some other resource in 10 min. In other words, it prevents the Ajax script from keeping the session active.

There is no way to keep a session active longer than the inactivity-timeout if the session is not active. You can have WebSEAL retain the session for tracing and reauthentication reasons but it will still be marked as inactive an require reauthentication once inactive to access a protected resource.

There are two main approaches to the problem you have presented.

1) Have the Ajax script poll more frequently than the idle timeout.

2) If you want to exempt an entire session from the default inactivity timer you can do that when the user logs in or later you can use trigger a policy to an infomap or use step-up. From that you can refresh the session and the credential attributes but also include the special EAI header to set a longer than the default inactive timeout. As described in the IBM Documentation:

https://www.ibm.com/support/knowledgecenter/en/SSPREK_10.0.1/com.ibm.isva.doc/wrp_config/task/tsk_set_client_sess_inact_val.htm

Also, I do not recommend that you continue to use 9.0.5.0. 9.0 5.0 has not received any security updates since April 2019 and is out of date. There have been a few security fixes. The latest version is ISVA 10.0.1.0.

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Verify+Access&release=9.0.5.0&platform=Linux&function=fixId&fixids=10.0.1-ISS-ISVA-FP0000&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc

IF1 for 10.0.1.0 just released, which can be applied after you have upgraded to 10.0.1.0.

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Verify+Access&release=10.0.1.0&platform=Linux&function=fixId&fixids=10.0.1.0-ISS-ISVA-IF0001&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc

Please open a case if you have any further questions.