Administrative UI : Vulnerability : Insufficient Session Expiration

book

Article ID: 4919

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

The Siteminder Administrative UI application does not terminate sessions after a reasonable period of inactivity from a user  

Inactivity periods may be the result of a user leaving a logged in session unattended, or a user closing the browser without using the logout functionality. User sessions remained active after 30 minutes of inactivity. 

The amount of time that is considered reasonable to be idle for in the context of this application is lower because of the administrative actions that can be performed using this application. 

Environment

Administrative UI : R12.52 and above

Resolution

The default session idle time out value is : 30 minutes. 

However, you can configure this to shorter value by updating the following element in web.xml file as below: 

 

The location of web.xml file : 

12.52SP2

<AdminUI_Install_direcotry>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF 

 

12.52SP1 and below: 

<AdminUI_Install_direcotry>\server\default\deploy\iam_siteminder.ear\user_console.war\WEB-INF 

 

Element to modify 

<session-config> 

<!-- 30 minutes --> 

<session-timeout>30</session-timeout> 

</session-config> 

Note :

  • The value are in minutes
  • You will need to recycle Admin UI service after making the change.