Transactions are taking too long to complete, applications team reporting timeouts on requests from the agent to the policy server. Add persistent realms and session store to the environment
SSO Policy server trace logs analysis tool shows significant delays when processing the logout functions for persistent sessions.
The log snippet below illustrates where this bottleneck/delay occurs.
How logout for persistent session is processed:
Under heavy load the task of processing agent commands adds/reads/deletes for every logout can cause significant delays as well as increasing the policy store DB size for each user logout
Upgrade Policy server to R12.52 SP1 CR5 – First GA release that has the agent cache flush turned off by default for persistent session logoffs
Registry setting to enable/disable flush add a new DWORD
Specifies whether users are flushed from the session store cache on logout.
Values: 0 (disabled) or 1 (enabled)
The purpose of the agent flush was an additional precaution to minimize cookie replay attacks.
Replay: Web Agent does not flush a user from the Agent Cache when the user hits the LogOffURI with a persistent session, allowing a stolen SMSESSION cookie to be replayed until the Session Validation Period is hit. It was discovered that the agent flush was still susceptible to a replay up to 60 seconds (2 pspollinterval – default 30 seconds * 2 = 60 seconds)
Moving forward it is suggestion to set validation time at the realm level to 60 seconds to achive the same precaution as agent flush
NOTE: The client browser will only be able to access the resource previously accesses for up to seconds after logout, once logout is called the session is deleted from the session store.