Ticket #532 (closed task: fixed)

Opened 1 year ago

Last modified 1 year ago

let CAS grantingTicket timeout to 1 day

Reported by: russ Assigned to: russ
Priority: medium Milestone:
Component: ambra Version: 0.7
Keywords: Cc:
Blocking: Blocked By:

Description

susanne gets reports from users they their login timed out while they were submitting an annotation and their annotation got lost.

is there, actually, an idle time out for logged in users (and if so, does anyone feel strongly that it's a good idea to have a time out like this in a non-financial application?)

or is this more likely a load balancing issue, where the annotation gets lost if the submission hits the other web server? (login is preserved if you bounce to the other web server, but it takes a trip through CAS to stay logged in as the ticket is verified and maybe that loses the annotation?)

Dependency Graph

Change History

08/08/07 09:59:20 changed by amit

  • owner changed from jsuttor to stevec.
  • milestone set to 0.8.

08/08/07 11:36:38 changed by stevec

  • owner changed from stevec to russ.

There are multiple time outs. I can't answer the question about the load balancing because I have little insight into how that is set up.

CAS has a timeout on the tickets it issues and then Tomcat has a session timeout. You need a timeout on Tomcat, otherwise you'll never be able to collect the resources that the session uses since most people don't hit the logout button. Initially, I was setting the timeout in the application's web.xml file, but looking at the change log, I took that out and started using the container's. I assume that was for packaging reasons. The value can be found int the web.xml in the conf folder of the Tomcat installation. It looks like the rpms are using the default 30 minute one. I'd suggest upping that value to hours (I had 600 in the web.xml at one point - that may be excessive). I think this is your main problem right now.

CAS timeouts are defined in its web.xml file as follows: 

    <!-- Timout for granting tickets -->
    <context-param>
        <param-name>edu.yale.its.tp.cas.grantingTimeout</param-name>
        <param-value>7200</param-value>
    </context-param>

    <!-- Timout for service tickets -->
    <context-param>
        <param-name>edu.yale.its.tp.cas.serviceTimeout</param-name>
        <param-value>300</param-value>
    </context-param>

    <!-- Timeout for login tickets (since 2.0.12) -->
    <context-param>
        <param-name>edu.yale.its.tp.cas.loginTimeout</param-name>
        <param-value>86400</param-value>
    </context-param>

http://www.ja-sig.org/wiki/display/CAS2/Adjusting+the+CAS+SSO+duration has more details. Looks like the grantingTimeout is the one to worry about. Also here near the bottom: http://forum.springframework.org/showthread.php?t=19072&page=2

08/08/07 13:20:11 changed by russ

okay. in 0.7 it's still in the webapp. it seems to be set to 7200 secs (2hrs) as per the quote above...)

i will sit on this until after the 0.8 upgrade, configure a longer timeout (probably a day), and commit it back.

08/08/07 13:24:33 changed by russ

  • type changed from clarification to task.

08/08/07 13:27:03 changed by russ

  • status changed from new to assigned.
  • summary changed from how long is the login timeout? to let CAS grantingTicket timeout to 1 day.

08/08/07 13:30:21 changed by stevec

Sorry, I wasn't clear in the answer. PLoS ONE's tomcat has a 30 min timeout now (set in conf/web.xml). CAS's timeout is defined in it's own web.xml in the webapp.

08/09/07 10:34:15 changed by russ

ahh, so i need to set the grantingticket timeout in cas AND the plosone tomcat session timeout?

this one, yes? 

  <!-- ==================== Default Session Configuration ================= -->
  <!-- You can set the default session timeout (in minutes) for all newly   -->
  <!-- created sessions by modifying the value below.                       -->

    <session-config>
        <session-timeout>30</session-timeout>
    </session-config>

08/22/07 10:46:10 changed by russ

  • milestone deleted.

will do this post 0.8 upgrade and then check in changes

08/22/07 12:17:55 changed by stevec

Well, it depends what you want to do. They have different effects. I definitely think the plosone timeout should be increased to greater than 30 minutes. There are two ways to accomplish that. If you change conf/web.xml, that will make it the default session timeout for all webapps deployed in that container unless they explicitly define one in their own web.xml file. Since I think only the doi resolver and plosone are in the same container, that may or may not be a big deal. The other way is to simply define the session timeout in plosone's web.xml file. That will affect only that webapp. This is more portable (i.e., if you take this war to a completely different container, you'll still get the same session timeout value). See [1502]

The CAS timeout is separate. If you want to increase that to a full day, then yes you'll have to change the context params mentioned above.

09/24/07 12:14:48 changed by russ

  • status changed from assigned to closed.
  • resolution set to fixed.