On Mon, Jul 23, 2012 at 3:18 AM, Ronen Itkin <[email protected]> wrote:
> Hi Phil, > > Thanks for the quick response! > > The thing is that I have set mod_cas_auth timeout parameters to a very > high threshold and left Cas's xml file as default > and it seems like my users are still being kicked of after two hours, *Can > you thing of a reason why ?? *(By the way I am working with JPA ticket > registration using mysql). > > *Cas web app (tomcat) 'web.xml'* > <session-config> > <!-- Default to 5 minute session timeouts --> > <session-timeout>5</session-timeout> > </session-config> > > *mod_cas_auth configurations:* > # 30 days hard logout > CASTimeout 2592000 > # 2 days idle time logout > CasIdleTimeout 172800 > CASSSOEnabled On > > This looks correct. Do you have debug logs from mod_auth_cas which indicate why the sessions are being expired? (CASDebug On, LogLevel Debug for the VirtualHost). > *'ticketExpirationPolicies.xml':* > <?xml version="1.0" encoding="UTF-8"?> > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-3.0.xsd";> > <description> > Assignment of expiration policies for the different tickets > generated by CAS including ticket granting ticket (TGT), service ticket > (ST), proxy granting ticket (PGT), and proxy$ > These expiration policies determine how long the ticket they are > assigned to can be used and even how often they can be used before becoming > expired / invalid. > </description> > > <!-- Expiration policies --> > <bean id="serviceTicketExpirationPolicy" > class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"> > <!-- This argument is the number of times that a ticket > can be used before its considered expired. --> > <constructor-arg > index="0" > value="1" /> > > <!-- This argument is the time a ticket can exist before > its considered expired. --> > <constructor-arg > index="1" > value="10000" /> > </bean> > > <bean id="grantingTicketExpirationPolicy" > class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy"> > <!-- This argument is the time a ticket can exist before > its considered expired. --> > <constructor-arg > index="0" > value="7200000" /> > </bean> > </beans> > > > Any idea? > > Thanks!! > > On Sun, Jul 22, 2012 at 5:34 PM, Phil Ames <[email protected]> wrote: > >> >> >> On Sun, Jul 22, 2012 at 6:10 AM, Ronen Itkin <[email protected]> wrote: >> >>> Hi all, >>> >>> I have noticed that there are several places to tune different timeout >>> parameters. >>> I am using mod_cas_auth as a Cas client and there are two configurable >>> directive (/etc/apache2/httpd.conf): >>> >>> *Directive*: CASTimeout >>> *Default*: 7200 (2 hours) >>> *Description*: This is the hard limit, in seconds, for a mod_auth_cas >>> session (whether >>> it is idle or not). When a session has reached this age and a new >>> request is made, the user is redirected to the CASLoginURL to >>> obtain a new service ticket. When this new ticket is validated, >>> they will be assigned a new mod_auth_cas session. >>> >>> *Directive*: CASIdleTimeout >>> *Default*: 3600 (1 hour) >>> *Description*: This is a limit, in seconds, of how long a mod_auth_cas >>> session can be idle. >>> When a request comes in, if it has been inactive for CASIdleTimeout >>> seconds, the user is redirected to the CASLoginURL to obtain a new >>> service ticket >>> >>> I can also configure timeout parameters on Cas itself, in the >>> 'ticketExpirationPolicies.xml'. >>> I guess that the xml option is wider and I can configure more sets of >>> timeout parameters. >>> >>> But regarding those two I can configure on /etc/apache2/httpd.conf, are >>> there similar configurations on 'ticketExpirationPolicies.xml'? >>> Which one is being enforced? >>> >>> >> Both are enforced, and kick in under different circumstances. >> >> >>> Basically I want to set Idle connection timeout to 4 hours (have it >>> redirected to logout screen afterwards) and *not to have a hard limit >>> timeout at all,* >>> whatis the most suitable way of doing it? >>> >>> >> You'd want to set the idle timeout to 4 hours, and the hard timeout to >> some egregiously large value. There probably is some realistic upper bound >> where you want people to re-authenticate (even if it's something like 5 >> days to account for a work week). >> >> >>> Is there a way to set CASTimeout to "never" (setting it to '-1' or '0' >>> does not seem to work). >>> >>> >> An "infinite" hard timeout is not supported. >> >> >>> Thanks!! >>> >>> >>> >>> -- >>> * >>> Ronen Itkin* >>> Taykey | www.taykey.com >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > > -- > * > Ronen Itkin* > Taykey | www.taykey.com > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
