HOWTO Configure Single Sign On Session Timeout

Owned by Andrew Petro
Last updated: Jul 09, 2009 by Marvin AddisonVersion comment
2 min read

This HOWTO describes how to control SSO session timeouts (after which user must reauthenticate) by modifying the ticket-granting ticket expiration policy.

CAS ticket timeouts are configured in ticketExpirationPolicies.xml . In CAS 3.2.1.1 source this lives at

/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml

This configuration file is deployed into

TOMCAT/webapps/cas/WEB-INF/spring-configuration/ticketExpirationPolicies.xml

This file configures two policies. Relevant for configuring single sign on session timeouts is configuration of ticket granting ticket expiration.

By default these tickets are configured to expire after 7,200,000 milliseconds == 7,200 seconds == 2 hours.

ticketExpirationPolicies.xml default configuration of ticket granting ticket timeout of 2 hours
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="0"
value="7200000" />
</bean>

Suppose you'd prefer ticket granting tickets remain valid for 45 minutes == 2,700 seconds == 2,700,000 milliseonds before expiring. Here's how you'd configure that:

ticketExpirationPolicies.xml changed configuration of ticket granting ticket timeout to 45 minutes
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="0"
value="2700000" />
</bean>

This timeout is independent of the CAS web application session timeout, which is only important for keeping user place in the login workflow. That timeout is configured in the CAS webapp web.xml and defaults configured to five minutes:

Default configuration in CAS server web.xml of five minute application session timeout
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
...
<session-config>
<!-- Default to 5 minute session timeouts -->
<session-timeout>5</session-timeout>
</session-config>
...
</web-app>

Changing this value will change the interval of time in which CAS remembers the user's place in the login workflow, e.g. if the user takes some time after first rendering the CAS login screen to read his password from the sticky note on his monitor and type it into the CAS login form. Changing this value will not change the interval of time in which a CAS ticket granting cookie (bearing a ticket granting ticket) is valid.

Changing this session timeout interval is typically only interesting if the login workflow is also enhanced to include more interesting and time-consuming steps or if user-facing functionality other than the login workflow is being provided via the CAS web application. For instance, a session timeout of five minutes while interacting with administrative panes of the optional services registry management application in CAS might well be annoying and worth increasing to make that application more usable.