How to invalidate the Subject on Session invalidation - Websphere

This is a discussion on How to invalidate the Subject on Session invalidation - Websphere ; Hello, We have a requirement to invalidate the user's subject when the user's session times out. Is there any configuration in Websphere by means of which I could specify that the user's Subject should get invalidated as part of session ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: How to invalidate the Subject on Session invalidation

  1. How to invalidate the Subject on Session invalidation

    Hello,



    We have a requirement to invalidate the user's subject when the user's session times out. Is there any configuration in Websphere by means of which I could specify that the user's Subject should get invalidated as part of session timeout? or is it programatically possible to do so?



    regards,

    Anand

  2. Re: How to invalidate the Subject on Session invalidation

    anandatwork@gmail.com wrote:
    > Hello,
    >
    >
    >
    > We have a requirement to invalidate the user's subject when the
    > user's session times out. Is there any configuration in Websphere by
    > means of which I could specify that the user's Subject should get
    > invalidated as part of session timeout? or is it programatically
    > possible to do so?
    >
    >


    That's a pretty dumb requirement, as the HTTP Session has nothing to do
    with security. If the Session times out, the application should handle
    that situation gracefully without logging the user off. There is a
    completely separate timeout (LTPA timeout) which related to security,
    and has a default value of two hours.

+ Reply to Thread