HOWTO Configure Single Sign On Session Timeout
This HOWTO describes how to control SSO session timeouts (after which user must reauthenticate) by modifying the ticket-granting ticket expiration policy.
CAS ticket timeouts are configured in ticketExpirationPolicies.xml . In CAS 3.2.1.1 source this lives at
/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml
This configuration file is deployed into
TOMCAT/webapps/cas/WEB-INF/spring-configuration/ticketExpirationPolicies.xml
This file configures two policies. Relevant for configuring single sign on session timeouts is configuration of ticket granting ticket expiration.
By default these tickets are configured to expire after 7,200,000 milliseconds == 7,200 seconds == 2 hours.
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy"> <!-- This argument is the time a ticket can exist before its considered expired. --> <constructor-arg index="0" value="7200000" /> </bean>
Suppose you'd prefer ticket granting tickets remain valid for 45 minutes == 2,700 seconds == 2,700,000 milliseonds before expiring. Here's how you'd configure that:
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy"> <!-- This argument is the time a ticket can exist before its considered expired. --> <constructor-arg index="0" value="2700000" /> </bean>
This timeout is independent of the CAS web application session timeout, which is only important for keeping user place in the login workflow. That timeout is configured in the CAS webapp web.xml and defaults configured to five minutes:
<?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> ... <session-config> <!-- Default to 5 minute session timeouts --> <session-timeout>5</session-timeout> </session-config> ... </web-app>
Changing this value will change the interval of time in which CAS remembers the user's place in the login workflow, e.g. if the user takes some time after first rendering the CAS login screen to read his password from the sticky note on his monitor and type it into the CAS login form. Changing this value will not change the interval of time in which a CAS ticket granting cookie (bearing a ticket granting ticket) is valid.
Changing this session timeout interval is typically only interesting if the login workflow is also enhanced to include more interesting and time-consuming steps or if user-facing functionality other than the login workflow is being provided via the CAS web application. For instance, a session timeout of five minutes while interacting with administrative panes of the optional services registry management application in CAS might well be annoying and worth increasing to make that application more usable.