[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: Re: [Sidewinder] Problem expiring SSO cache
From: sidewinder () adeptech ! com
Date: 2004-12-04 8:59:12
Message-ID: 41B17C60.6060406 () mn ! rr ! com
[Download RAW message or body]
I saw a slightly different version of this problem. I have noticed that
even when you hit the "logout" page for SSO, you can close your browser
and immediately connect to another site without logging in again. On
the other hand, you have to have successfully authenticated from that IP
address in the past. I haven't checked this "creeping cache" bug across
reboots, anyone given it a try?
It is possible to manually expire entries in the GUI however.
--HA
sidewinder@adeptech.com wrote:
>We are using Single Sign-On to authenticate roaming remote users for
>some proxy services (Sidewinder 6.1.0.4). There is a serious
>problem, however, with the cache_timeout setting: it doesn't work.
>
>For example, if I have the idle_timeout set to 30 minutes and the
>cache_timeout set to 1 hour, the following behavior is observed:
>
>1. If a user breaches the idle limit, their session is disconnected.
>However, they can reauthenticate simply by reloading the Web Login
>page at https://firewall:8111/sidewinder/login.html. The do not have
>to enter their username and password (Mozilla, Firefox).
>
>2. Users that breach the maximum cache time without going idle are
>not disconnected. In fact, a check of the cache with "cf sso l" shows
>entries with cache times significanly older than than the expected
>expiration time. In fact, I have spotted entries more than one day
>old.
>
>3. Some users, using Internet Explorer, report being forced to
>re-authenticate after the cache_timeout is breached. Perhaps this is
>because IE properly expires the SSL certificate? Either way, I have
>confirmed that the Sidewinder does not expire them.
>
>In the meantime, I have set up a cron script which expires all entries
>at midnight. It works, but obviously I would prefer a functional
>timeout mechanism on the firewall.
>
>Has anyone else noticed this? Are there any workarounds out there
>better than mine?
>I will notify Secure Computing of this sad horribleness.
>
>Thanks
>--Greg Chavez
>_______________________________________________
>Sidewinder mailing list
>Sidewinder@adeptech.com
>http://mail.adeptech.com/mailman/listinfo/sidewinder
>
>
>
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic