Hi Community Members,

ISAM V9.0.6 is Implemented in one of our client Environments where we have once requirement regarding user session termination on closing the browser. 

Detailed explanation : 

If a user Login in to a Protected Application a session in ISAM and End Application will be created and once the user closes the browser (with our pkmslogout being called), we want the user session to be terminated and when he logs in next time he should be created with a new session. 

we have tried the following options : 

1) setting max-concurrent-session to displace where too_manysession.html will be displaced and on multiple session we have redirected the user to /pkmsdiplace?{token} but this is not completing the customer requirement. 

pkmsdispace also has a drawback if user logs in to browser A and session A is created for user and if the same user with out terminating the session or closing the browser and tries to login in browser B a session B will be created as ISAM detected existing session and displaces the existing one with new one, but when you go back to browser A and tries to access some content it will server the resources but the expectation here is to take the user to login page as the user session is already displaced as per the above implementation.  

Thanks and Regards,

------------------------------
Rahil Anwar
------------------------------

Original Message------

Hi Community Members,

ISAM V9.0.6 is Implemented in one of our client Environments where we have once requirement regarding user session termination on closing the browser. 

Detailed explanation : 

If a user Login in to a Protected Application a session in ISAM and End Application will be created and once the user closes the browser (with our pkmslogout being called), we want the user session to be terminated and when he logs in next time he should be created with a new session. 

we have tried the following options : 

1) setting max-concurrent-session to displace where too_manysession.html will be displaced and on multiple session we have redirected the user to /pkmsdiplace?{token} but this is not completing the customer requirement. 

pkmsdispace also has a drawback if user logs in to browser A and session A is created for user and if the same user with out terminating the session or closing the browser and tries to login in browser B a session B will be created as ISAM detected existing session and displaces the existing one with new one, but when you go back to browser A and tries to access some content it will server the resources but the expectation here is to take the user to login page as the user session is already displaced as per the above implementation.  

Thanks and Regards,

------------------------------
Rahil Anwar
------------------------------

Hi Scott,

Thanks for your Reply 

can you please share your thoughts on below implementation in isam 

1) setting max-concurrent-session to displace where too_manysession.html will be displaced and on multiple session we have redirected the user to /pkmsdiplace?{token} but this is not completing the customer requirement. 

pkmsdispace also has a drawback if user logs in to browser A and session A is created for user and if the same user with out terminating the session or closing the browser and tries to login in browser B a session B will be created as ISAM detected existing session and displaces the existing one with new one, but when you go back to browser A and tries to access some content it will server the resources but the expectation here is to take the user to login page as the user session is already displaced as per the above implementation. 

Can you please suggest how to logout and take user to login page in browser A if user logs in to browser B and goes back to browser A 

Thanks and Regards

------------------------------
Rahil Anwar
------------------------------

Original Message:
Sent: Wed April 22, 2020 03:00 AM
From: Scott Exton
Subject: User Session Termination on Closing the Browser

Unfortunately there is no way for a server to be able to automatically determine that a client has closed.  It is up to the client to 'tell' the server that it is about to close.  The way that other sites do this is by embedding JavaScript in their applications.  The JavaScript is called by the browser when the window closes, and the JavaScripts can then call '/pkmslogout'.

 

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Access Manager
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

Original Message------

Hi Community Members,

ISAM V9.0.6 is Implemented in one of our client Environments where we have once requirement regarding user session termination on closing the browser. 

Detailed explanation : 

If a user Login in to a Protected Application a session in ISAM and End Application will be created and once the user closes the browser (with our pkmslogout being called), we want the user session to be terminated and when he logs in next time he should be created with a new session. 

we have tried the following options : 

1) setting max-concurrent-session to displace where too_manysession.html will be displaced and on multiple session we have redirected the user to /pkmsdiplace?{token} but this is not completing the customer requirement. 

pkmsdispace also has a drawback if user logs in to browser A and session A is created for user and if the same user with out terminating the session or closing the browser and tries to login in browser B a session B will be created as ISAM detected existing session and displaces the existing one with new one, but when you go back to browser A and tries to access some content it will server the resources but the expectation here is to take the user to login page as the user session is already displaced as per the above implementation.  

Thanks and Regards,

------------------------------
Rahil Anwar
------------------------------

Hi Rahil,

The Session Displace function should do what you need... and you shouldn't neeed to manually redirect user to pages - that should be handled based on policy.

Have you configured "Distributed Session Cache" (DSC) in your ISAM environment?  That is a prerequisite for using the max-session functionality.  If you don't have DSC deployed and integrated with Reverse Proxies then these configuration options will have no effect.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed April 22, 2020 06:16 AM
From: Rahil Anwar
Subject: User Session Termination on Closing the Browser

Hi Scott,

Thanks for your Reply 

can you please share your thoughts on below implementation in isam 

1) setting max-concurrent-session to displace where too_manysession.html will be displaced and on multiple session we have redirected the user to /pkmsdiplace?{token} but this is not completing the customer requirement. 

pkmsdispace also has a drawback if user logs in to browser A and session A is created for user and if the same user with out terminating the session or closing the browser and tries to login in browser B a session B will be created as ISAM detected existing session and displaces the existing one with new one, but when you go back to browser A and tries to access some content it will server the resources but the expectation here is to take the user to login page as the user session is already displaced as per the above implementation. 

Can you please suggest how to logout and take user to login page in browser A if user logs in to browser B and goes back to browser A 

Thanks and Regards

------------------------------
Rahil Anwar

Original Message:
Sent: Wed April 22, 2020 03:00 AM
From: Scott Exton
Subject: User Session Termination on Closing the Browser

Unfortunately there is no way for a server to be able to automatically determine that a client has closed.  It is up to the client to 'tell' the server that it is about to close.  The way that other sites do this is by embedding JavaScript in their applications.  The JavaScript is called by the browser when the window closes, and the JavaScripts can then call '/pkmslogout'.

 

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Access Manager
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

Original Message------

Hi Community Members,

ISAM V9.0.6 is Implemented in one of our client Environments where we have once requirement regarding user session termination on closing the browser. 

Detailed explanation : 

If a user Login in to a Protected Application a session in ISAM and End Application will be created and once the user closes the browser (with our pkmslogout being called), we want the user session to be terminated and when he logs in next time he should be created with a new session. 

we have tried the following options : 

1) setting max-concurrent-session to displace where too_manysession.html will be displaced and on multiple session we have redirected the user to /pkmsdiplace?{token} but this is not completing the customer requirement. 

pkmsdispace also has a drawback if user logs in to browser A and session A is created for user and if the same user with out terminating the session or closing the browser and tries to login in browser B a session B will be created as ISAM detected existing session and displaces the existing one with new one, but when you go back to browser A and tries to access some content it will server the resources but the expectation here is to take the user to login page as the user session is already displaced as per the above implementation.  

Thanks and Regards,

------------------------------
Rahil Anwar
------------------------------

Dear Jon/Scott,

Yes we have DSC in place and PKMSDISPLACE is working fine, is there a way to call application logout URL before performing this displace action for the user. 

Please find  the attached hmtl where we are performing this activity of displace automatically. 

is there a way to call application logout page before performing displacing in ISAM.

------------------------------
Rahil Anwar
------------------------------

Original Message:
Sent: Wed April 22, 2020 07:02 AM
From: Jon Harry
Subject: User Session Termination on Closing the Browser

Hi Rahil,

The Session Displace function should do what you need... and you shouldn't neeed to manually redirect user to pages - that should be handled based on policy.

Have you configured "Distributed Session Cache" (DSC) in your ISAM environment?  That is a prerequisite for using the max-session functionality.  If you don't have DSC deployed and integrated with Reverse Proxies then these configuration options will have no affect.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed April 22, 2020 06:16 AM
From: Rahil Anwar
Subject: User Session Termination on Closing the Browser

Hi Scott,

Thanks for your Reply 

can you please share your thoughts on below implementation in isam 

1) setting max-concurrent-session to displace where too_manysession.html will be displaced and on multiple session we have redirected the user to /pkmsdiplace?{token} but this is not completing the customer requirement. 

pkmsdispace also has a drawback if user logs in to browser A and session A is created for user and if the same user with out terminating the session or closing the browser and tries to login in browser B a session B will be created as ISAM detected existing session and displaces the existing one with new one, but when you go back to browser A and tries to access some content it will server the resources but the expectation here is to take the user to login page as the user session is already displaced as per the above implementation. 

Can you please suggest how to logout and take user to login page in browser A if user logs in to browser B and goes back to browser A 

Thanks and Regards

------------------------------
Rahil Anwar

Original Message:
Sent: Wed April 22, 2020 03:00 AM
From: Scott Exton
Subject: User Session Termination on Closing the Browser

Unfortunately there is no way for a server to be able to automatically determine that a client has closed.  It is up to the client to 'tell' the server that it is about to close.  The way that other sites do this is by embedding JavaScript in their applications.  The JavaScript is called by the browser when the window closes, and the JavaScripts can then call '/pkmslogout'.

 

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Access Manager
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

Original Message------

Hi Community Members,

ISAM V9.0.6 is Implemented in one of our client Environments where we have once requirement regarding user session termination on closing the browser. 

Detailed explanation : 

If a user Login in to a Protected Application a session in ISAM and End Application will be created and once the user closes the browser (with our pkmslogout being called), we want the user session to be terminated and when he logs in next time he should be created with a new session. 

we have tried the following options : 

1) setting max-concurrent-session to displace where too_manysession.html will be displaced and on multiple session we have redirected the user to /pkmsdiplace?{token} but this is not completing the customer requirement. 

pkmsdispace also has a drawback if user logs in to browser A and session A is created for user and if the same user with out terminating the session or closing the browser and tries to login in browser B a session B will be created as ISAM detected existing session and displaces the existing one with new one, but when you go back to browser A and tries to access some content it will server the resources but the expectation here is to take the user to login page as the user session is already displaced as per the above implementation.  

Thanks and Regards,

------------------------------
Rahil Anwar
------------------------------

Hello Rahil,

WebSEAL includes a capability to call logout URL of a backend application when a logout/timeout occurs.  I don't know for sure but this might also get triggered by a displace event with DSC.   You could try it.

#-----------------------------
# BACK-END SERVER SINGLE SIGN-OFF
#-----------------------------
# When a user's session is terminated in WebSEAL, any sessions that may exist
# on back-end application servers are not destroyed. When this item is
# configured, WebSEAL will send a request to the configured URI's including
# any configured headers and cookies for the junction point on which it resides.
# The backend application can use this information to terminate any sessions
# for that user.
#
# Multiple URI's can be specified by including multiple single-signoff-uri
# configuration entries.
#
# The configured URI must reside on a standard junction. For example:
# single-signoff-uri = /app/logout.asp
​

In order for this to work, the cookies that the application uses to identify the user session must be stored in the WebSEAL cookie jar - otherwise it won't be able to trigger the logout of the user session at the backend when there is no browser involved.

# The managed-cookies-list contains patterns that will be matched
# against the names of cookies returned by junctioned servers to determine
# whether the cookie should be stored in the WebSEAL cookie jar.
# Items in the managed-cookies-list should be comma separated and there should
# be no white space separating cookie names. The WebSEAL cookie jar is turned
# off by not specifying any cookies in the managed-cookies-list.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
#managed-cookies-list = JSESS*,Ltpa*​

I'm still a little confused by your statement that "when you go back to browser A and tries to access some content it will server the resources but the expectation here is to take the user to login page as the user session is already displaced as per the above implementation."

If session displacement is configured (i.e. policy set max-concurrent-web-sessions displace) then when login at Browser B is performed, ISAM session at Browser A should be removed and login would be required at next access there.  If that isn't the case, something else is wrong.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu April 23, 2020 03:24 AM
From: Rahil Anwar
Subject: User Session Termination on Closing the Browser

Dear Jon/Scott,

Yes we have DSC in place and PKMSDISPLACE is working fine, is there a way to call application logout URL before performing this displace action for the user. 

Please find  the attached hmtl where we are performing this activity of displace automatically. 

is there a way to call application logout page before performing displacing in ISAM.

------------------------------
Rahil Anwar

Original Message:
Sent: Wed April 22, 2020 07:02 AM
From: Jon Harry
Subject: User Session Termination on Closing the Browser

Hi Rahil,

The Session Displace function should do what you need... and you shouldn't neeed to manually redirect user to pages - that should be handled based on policy.

Have you configured "Distributed Session Cache" (DSC) in your ISAM environment?  That is a prerequisite for using the max-session functionality.  If you don't have DSC deployed and integrated with Reverse Proxies then these configuration options will have no affect.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed April 22, 2020 06:16 AM
From: Rahil Anwar
Subject: User Session Termination on Closing the Browser

Hi Scott,

Thanks for your Reply 

can you please share your thoughts on below implementation in isam 

1) setting max-concurrent-session to displace where too_manysession.html will be displaced and on multiple session we have redirected the user to /pkmsdiplace?{token} but this is not completing the customer requirement. 

pkmsdispace also has a drawback if user logs in to browser A and session A is created for user and if the same user with out terminating the session or closing the browser and tries to login in browser B a session B will be created as ISAM detected existing session and displaces the existing one with new one, but when you go back to browser A and tries to access some content it will server the resources but the expectation here is to take the user to login page as the user session is already displaced as per the above implementation. 

Can you please suggest how to logout and take user to login page in browser A if user logs in to browser B and goes back to browser A 

Thanks and Regards

------------------------------
Rahil Anwar

Original Message:
Sent: Wed April 22, 2020 03:00 AM
From: Scott Exton
Subject: User Session Termination on Closing the Browser

Unfortunately there is no way for a server to be able to automatically determine that a client has closed.  It is up to the client to 'tell' the server that it is about to close.  The way that other sites do this is by embedding JavaScript in their applications.  The JavaScript is called by the browser when the window closes, and the JavaScripts can then call '/pkmslogout'.

 

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Access Manager
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

Original Message------

Hi Community Members,

ISAM V9.0.6 is Implemented in one of our client Environments where we have once requirement regarding user session termination on closing the browser. 

Detailed explanation : 

If a user Login in to a Protected Application a session in ISAM and End Application will be created and once the user closes the browser (with our pkmslogout being called), we want the user session to be terminated and when he logs in next time he should be created with a new session. 

we have tried the following options : 

1) setting max-concurrent-session to displace where too_manysession.html will be displaced and on multiple session we have redirected the user to /pkmsdiplace?{token} but this is not completing the customer requirement. 

pkmsdispace also has a drawback if user logs in to browser A and session A is created for user and if the same user with out terminating the session or closing the browser and tries to login in browser B a session B will be created as ISAM detected existing session and displaces the existing one with new one, but when you go back to browser A and tries to access some content it will server the resources but the expectation here is to take the user to login page as the user session is already displaced as per the above implementation.  

Thanks and Regards,

------------------------------
Rahil Anwar
------------------------------