How the SMSESSION EnforceRealmTimeout's Works

PS: Any version

OS: Any version

With 'EnforceRealmTimeouts' set to "Yes" in the agent ACO, each Realm that the user visits must have 'WebAgent-OnAuthAccept-Session-Idle-Timeout' and 'WebAgent-OnAuthAccept-Session-Max-Timeout' Responses configured to override the Realm's Timeout values as specified on the "Session" Tab of the Relam's Properties Dialog. These Responses must be tied to an 'OnAuthAccept' Rule in an associated Policy in order to fire.

With 'EnforceRealmTimeouts' set to "Yes"; if a User first accesses a protected resource in a Realm which is improperly configured without a 'WebAgent-OnAuthAccept-Session-Idle-Timeout' and 'WebAgent-OnAuthAccept-Session-Max-Timeout' Response being set, the Timeout values obtained by the Policy Server from the Realm's Session Tab will be used for the User's Session, and these values will be stored in the Web Agent's Session Cache for this Realm.

If the User then accesses a protected resource in a Realm which is properly configured with 'WebAgent-OnAuthAccept-Session-Idle-Timeout' and 'WebAgent-OnAuthAccept-Session-Max-Timeout' Responses, the User will inherit the new Timeout values as defined in the Responses. As the User traverses properly configured Realms, each Realm's Responses will fire, and the User's Session will be governed by the Responses of the Realm they are visiting, thus "Enforcing Realm Timeouts".

If the User then accesses a protected resource in a Realm without the proper 'WebAgent-OnAuthAccept-Session-Idle-Timeout' and 'WebAgent-OnAuthAccept-Session-Max-Timeout' Responses set, the User will maintain the Session Timeout values of the previous properly configured Realm visited.

However, if the User attempts to access another protected resource in the first mis-configured Realm visited or any mis-configured Realm that was visited prior to the User accessing a Realm properly configured with Timeout Responses; the Web Agent will use the values obtained from it's Session Cache, which will be the values obtained by the Policy Server from the Realm's Session Tab.

If the User's Session has not timed out in the Realm they are currently in, and they attempt to access a resource in a Realm in which their Session would be expired, the User is re-prompted for credentials, however their SMSESSION cookie is not set to "LOGGEDOFF", allowing the User to instead access other resources in Realms for which their Session would not be expired.

If EnforceRealmTimeouts is set to "NO", if a User first accesses a protected resource , the Timeout values obtained by the Policy Server from the Realm's Session Tab will be used for the User's Session, and these values will be stored in the Web Agent's Session Cache for this Realm.


If the User attempts to access another protected resource during the same session, the Web Agent will use the values obtained from it's Session Cache, which will be the values obtained by the Policy Server from the Realm's Session Tab of the first realm visited during the session when the value was first set.