CAS standard implementation for session timeout is by providing a global session timeout setting to overwrite any client application's.
The simple scenario is like this:
Settting:
CAS Session Timeout: 60 minutes;
App Session Timeout: 30 minutes.
Steps:
1. Logon to App through CAS;
2. Idle App for 30 minutes;
3. App still is alive and can be used without re-login.
But lots of customers have this requirement: keep the client application session timeout.
The simple scenario is like this:
Settting:
CAS Session Timeout: 60 minutes;
App1 Session Timeout: 30 minutes;
App2 Session Timeout: 45 minutes.
Steps:
1. Logon to App1 through CAS;
2. Idle App1 for 30 minutes;
3. Click App1 and will be redirect to CAS login page.
4. Access App2 URL within 60 minutes since first Logon, you still can get access to App2 without login.
Solution:
When App Logout, provide a renew-like function so you need to re-authenticate when trying to access that App again.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment