Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Force Reauthentication on BSP application after 20 minutes inactive

Former Member

‎10-28-2011 8:25 PM

0 Kudos

Hello All,

We have users authenticating on a java box and obtaining a mysapsso2 cookie and then proceeding to an abap.bsp application. We simply want users to have to reauthenticate after 20 minutes of inactivity.

I have found a couple of settings.

ABAP - login/ticket_expiration_time profile parameter

JAVA - login.ticket_lifetime set in UME properties for Creat Ticket Login Module in VA-Security Provider.

Are these valid? Are there any other settings I need to set? Seems that even though I set the lifetile of the SSP cookies I may still have to set a session timeout to make sure a session cookie times out as well.

Thanks,

Doug

1 REPLY 1

mvoros
Active Contributor

‎11-03-2011 3:30 AM

0 Kudos

Hi,

I don't think that setting ticket lifetime is what you want. The expiry date is part of cookie and it's signed by issuer. If you set it to 20 minutes then it means that it's valid for 20 minutes which sounds like what you want but the problem is that if user is active 20 minutes he or she will still have to re-authenticate because the ticket will expire. It's like my passport expires after 10 years regardless if I use it or not.

Usually, logon ticket is issued for 8 hours. So even if HTTP session expires (let's say 20mins) users can still log on without entering credentials but they have start from scratch. The only way how I can think of forcing re-authentication only for inactive users is to do it somehow in your BSP app.

Cheers