I have a requirement for a java web application I am writing that users can have one active session. The session should not be idle for more than 30 minutes and the maximum life time of a single session is 8 hours.
To accomplish this, the maximum time a ticket granting ticket is valid is set to 8 hours and the idle session time out is set to 30 minutes in CAS. In the web xml of the application, the session config has a timeout set to 20 minutes. To limit a users session, I am using Spring Security's session management concurrency control in the web application. The max-sessions property is set to 1 and the error-if-maximum-exceeded is set to true. The issue I am seeing is that if a user remains active within the web application for more than 1 hour, the session seems to be expired in CAS by ticket registry cleaner, causing the user to re-authenticate. This would seem to make sense given that the user is active and the web application would not try to request a new service ticket since a max-age is not set on application session. Setting a max-age on the application session causes issues because after the session expires, the application creates a new session and the Spring Security session management concurrency control blocks the users access because it is detecting more than one active session for the user. What properties should I set or what configuration is recommended that will limit users to a single active session, expire sessions that are idle for 30 minutes, and allow for a maximum lifetime for a single session of 8 hours? Thank you, Daniel -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
