How does the Policy Server manage session timeouts for persistent sessions?
search cancel

How does the Policy Server manage session timeouts for persistent sessions?


Article ID: 53197


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



Customer would like to understand how Policy Server manages the session timeouts for persistent sessions.


For a persistent session the Policy Server enforces the idle timeout as well as the session expiration timeout. In order to do this, the Policy Server maintains two timestamps for each session:

  1. Session creation timestamp.

  2. Last Activity timestamp - this timestamp is updated during the session validation call.

Session validation is made by the Web Agent when a valid SMSESSION cookie is found. The Policy Server will then validate the passed Session by finding the Session in the Session Store by the Session ID and makes sure that the session is valid by checking the session state. The Policy Server then updates the last activity time for the session in the Session Store.

Periodically the Policy Server checks the timestamps and terminates all the sessions that have timed out either due to the idle or expiration timeout. Note, that the Logout event is NOT generated when the Policy Server terminates the session due to the idle or expiration timeout

The frequency of the session checking is 60 seconds by default and is defined by the following DWORD registry entry (measured in seconds):

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\SessionServer
Value: MaintenancePeriod


Component: SMPLC