Skip to end of metadata
Go to start of metadata
Table of Contents

This HOWTO describes how to control SSO session timeouts (after which user must reauthenticate) by modifying the ticket-granting ticket expiration policy.

CAS ticket timeouts are configured in ticketExpirationPolicies.xml . In CAS 3.2.1.1 source this lives at

/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml

This configuration file is deployed into

TOMCAT/webapps/cas/WEB-INF/spring-configuration/ticketExpirationPolicies.xml

This file configures two policies. Relevant for configuring single sign on session timeouts is configuration of ticket granting ticket expiration.

By default these tickets are configured to expire after 7,200,000 milliseconds == 7,200 seconds == 2 hours.

ticketExpirationPolicies.xml default configuration of ticket granting ticket timeout of 2 hours

Suppose you'd prefer ticket granting tickets remain valid for 45 minutes == 2,700 seconds == 2,700,000 milliseonds before expiring. Here's how you'd configure that:

ticketExpirationPolicies.xml changed configuration of ticket granting ticket timeout to 45 minutes

This timeout is independent of the CAS web application session timeout, which is only important for keeping user place in the login workflow. That timeout is configured in the CAS webapp web.xml and defaults configured to five minutes:

Default configuration in CAS server web.xml of five minute application session timeout

Changing this value will change the interval of time in which CAS remembers the user's place in the login workflow, e.g. if the user takes some time after first rendering the CAS login screen to read his password from the sticky note on his monitor and type it into the CAS login form. Changing this value will not change the interval of time in which a CAS ticket granting cookie (bearing a ticket granting ticket) is valid.

Changing this session timeout interval is typically only interesting if the login workflow is also enhanced to include more interesting and time-consuming steps or if user-facing functionality other than the login workflow is being provided via the CAS web application. For instance, a session timeout of five minutes while interacting with administrative panes of the optional services registry management application in CAS might well be annoying and worth increasing to make that application more usable.

  • No labels