Administrative UI : Vulnerability : Insufficient Session Expiration
search cancel

Administrative UI : Vulnerability : Insufficient Session Expiration


Article ID: 4919


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


The Siteminder Administrative UI application does not terminate sessions after a reasonable period of inactivity from a user  

Inactivity periods may be the result of a user leaving a logged in session unattended, or a user closing the browser without using the logout functionality. User sessions remained active after 30 minutes of inactivity. 

The amount of time that is considered reasonable to be idle for in the context of this application is lower because of the administrative actions that can be performed using this application. 


Administrative UI : R12.52 and above


The default session idle time out value is : 30 minutes. 

However, you can configure this to shorter value by updating the following element in web.xml file as below: 


The location of web.xml file : 




12.52SP1 and below: 



Element to modify 


<!-- 30 minutes --> 



Note :

  • The value are in minutes
  • You will need to recycle Admin UI service after making the change.