I can answer this for a particular product suite: WebSeal and
WebSphere using LTPA cookies, due to some research I can't directly
share.

If a WebSeal junction has a 15 minute idle out, and WebSphere a 20
minute idle out, users cannot re-connect to the WebSphere application
after 15 minutes, but resources are held open on WebSphere for the
whole 20 minutes. In general, it's best to have WebSeal use a shorter
idle timeout than the application server behind it as this leads to
less confusion for the user and greater security as the application
server cannot be reached when WebSeal does not allow it.

If WebSeal forcefully logs off your users (say via pdadmin), apps
hidden behind WebSeal junctions are generally not notified but also
do not see any further connectivity until a user logs in again. If
you want to see logout events, I'm moderately certain there is no
method to notify the WebSphere application except via using a custom
logout page outside your protected junction ... and by that time you
will no longer have access to the WebSphere application state, so I'm
not sure what that would gain you.

An application which is WebSeal aware can log off an individual
WebSeal session via an API call and reduce the possibility of this
difference being exploited. This is best practice.

thanks,
Andrew

On 03/05/2006, at 10:45 PM, Keith Duffin wrote:

> What about instances where an identity framework is used, such as CA's
> Siteminder or IBM's Identity Mangament Suite? Closing the browser
> will
> result in the session begin invalidated - I'm not sure if that
> cascades to
> releasing other resources or not.

0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?í0?¦0? 
pémìaæVlÊð~)m60
 *?H?÷


0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
060121125830Z
070121125830Z0l10U
van der Stock10
U*Andrew10UAndrew van der Stock1"0  *?H?÷


vanderaj (at) greebo (dot) net0 [email concealed]?0
 *?H?÷



0?ÔâI?ü??m?òåiЪ͵!òÕ?Ò#?T»coýeo(Náµ¹P,cÓø©â:ªµ4ghé<>(}÷
a(Æ$УTíÍóEuÓmáÇy?¸ÖàJJðBשµ;YʽBö;ô?ê?OL?*9Ó¤;l?f]t0Ì/¶;~Ã?ÜlÌ¡åi


£S0Q0U

ÿø0 `?H
?øB

 0U0vanderaj (at) greebo (dot) net0 [email concealed]U

ÿ00
 *?H?÷


?Þ?c­bu¿.¶Èùô¹ ©fëÓ=p$ñ?hfv?sa»ß¹?í~ÔNàñðÁØ ?OÂÞvÊ'ñ[=µD¡ÆYj%ÀsÀ¾¥®Ü8x¢íù!c;7¦j6½»Ì®Üc àb6È»ó,­Ò^| ©ìMûCLh4_F ªq0??0?¨ 


0
 *?H?÷


0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷



0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½:aò¿QÎ
ÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯<çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û

£?0?0U

ÿ0

ÿ
0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷


H?ÑP?ê.Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?0??

0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CApémìaæVlÊð~)m60 + ?
o0 *?H?÷

1 *?H?÷


0 *?H?÷

1
060503133058Z0# *?H?÷

1·ì"ܽµ;
¾?~ÛCWY'0? +

?71x0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CApémìaæVlÊð~)m60?*?H?÷

1x v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CApémìaæVlÊð~)m60
 *?H?÷



?|y]iåòW\p?X©ùi:8;lö.ÐÎéæ-?Õðá,p<
á+qÆ¡½?¢æL¿Äå?vnI³?$T9ÐÁP£¾?«2ì>­?IãE#4 Mì7hçãc8??rÙYc?@´}?hÇ?A??© x?Ýýºm?ØãSöÔ

[ reply ]