Forum Discussion
Michael_Jenkins
Cirrostratus
CirrostratusInactivity Timeouts
We have an environment set up where we need to specify different inactivity timeouts depending on the user and/or incoming connection IP. I have an iRule that gets run on a new authenticated session that changes the session timeouts I'm aware of...
ACCESS::session data set session.inactivity_timeout 10800
ACCESS::session data set session.max_session_timeout 10800
Even though this should be for 3hrs, we have users that are getting timed out after 15 minutes (which is the Access Policy default.
Is there a different/better way that we should be changing the inactivity timeout?
Thanks!
- Kevin_Stewart
Employee
Can you a) verify that the inactivity_timeout value in the session is getting changed to the correct value, and b) that there's no underlying keep-alives keeping the session alive?
Michael_JenkinsWhen I look in the APM reports for session variables, it shows session.inactivity_timeout is set to 10800. But I still get timed out after 15 minutes.
One other intricacy to note is that our environment is set up such that we use VIPs on different access policies but redirect the user to a single VIP for authentication, so they can access resources across different VIPs that we dont want to use the same Access Policy (we use basically empty policies for these since we're redirecting to a different vip)
- Kevin_Stewart
So... is this an APM multi-domain configuration? SAML? Or something homegrown? Are you applying the session activity timeout to the authentication policy or to the individual application policies?
- Michael_Jenkins
It's a single domain configuration. We basically a couple paths into the system. One that allows for rewriting through APM and the other which we do custom iRule rewriting and delivery. So the second one gets redirected to the first if there's no active session for its authentication, so the second one just handles whatever session gets assigned from our primary profile. In the primary policy, we're setting the default timeout to 15 minutes, and in an iRule that checks the user connection for intranet/internet IP and modifies the inactivity timeout (those two variables above) to 3 hrs.
- Kevin_Stewart
I may still be missing the flow here. So there are (at least) two APM VIPs. When I say "multi-domain configuration", I'm referring to the multi-domain configuration setting in the access policy itself - which technically sets a domain cookie in a single domain. In any case, are you setting the APM session token as a domain cookie? If not, how are the two APM VIPs sharing the session information?
- Michael_Jenkins
Sorry. We are not using a "multi-domain configuration" as it would be set in the APM policy, but we have our own homegrown iRules that set a domain level cookie so the session can be shared across the VIPs.
- Kevin_Stewart
Okay then, it's starting to come together. So for clarity, you have two APM VIPs. When a user accesses one of the VIPs (the one with the empty policy), you redirect them to the other APM VIP where they're authenticated and issued a domain-scoped cookie, and then redirected back to the first VIP. Can you verify that the first VIP is 1) actually getting this cookie (the browser is sending it), and 2) that the VIP is actually consuming the cookie (use an iRule to enumerate a session variable collected from the other VIP).
- Michael_Jenkins
It is getting it, as I can access applications through VIP2 after authenticating through VIP1. We also have iRules to enforce valid cookie existence for APM sessions across both VIPs.
But with regard to inactivity timeouts, do you know if setting the session.inactivity_timeout session variable is the proper way to modify APM session timeout?
- Kevin_Stewart
do you know if setting the session.inactivity_timeout session variable is the proper way to modify APM session timeout?
It is.
If you adjust the idle timeout in the empty access policy, does that affect the timeout to this VIP?
