Administrative UI : Vulnerability : Insufficient Session Expiration

Document ID : KB000004919
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The Siteminder Administrative UI application does not terminate sessions after a reasonable period of inactivity from a user  

Inactivity periods may be the result of a user leaving a logged in session unattended, or a user closing the browser without using the logout functionality. User sessions remained active after 30 minutes of inactivity. 

The amount of time that is considered reasonable to be idle for in the context of this application is lower because of the administrative actions that can be performed using this application. 

Environment:
Administrative UI : R12.52 and above
Resolution:

The default session idle time out value is : 30 minutes. 

However, you can configure this to shorter value by updating the following element in web.xml file as below: 

 

The location of web.xml file : 

12.52SP2

<AdminUI_Install_direcotry>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF 

 

12.52SP1 and below: 

<AdminUI_Install_direcotry>\server\default\deploy\iam_siteminder.ear\user_console.war\WEB-INF 

 

Element to modify 

<session-config> 

<!-- 30 minutes --> 

<session-timeout>30</session-timeout> 

</session-config> 

Note :

  • The value are in minutes
  • You will need to recycle Admin UI service after making the change.