1

Really weird authentication problem going on - hope someone can help!

The Domino Web Server Log database shows all the requests a particular user is making for pages in an application I look after. The application is XPages-based and the user is regularly pressing Save on the document she is editing (every few minutes). The save does a full update.

The LTPA token is valid for 30 minutes - I assume however that every time the user performs a full update, the 30 minute token is renewed?

However, when looking at the logs, a save of the document at 09:05 shows the Remote User by name, another save at 09:07 still shows the user by name. The next save at 09:11 shows the remote user by IP address instead, and when you look at the log entry in more detail, the server has replied with 401 UNAUTHORIZED (The client is not authorized to access data). This has of course caused the user's browser to lose the work they had open at the time.

The Cookie on each log entry shows :

LtpaToken=AAECAzUwOUI2RjRCNTA5Qjc2NTNDTj1Bbm5lIExhdm91ZS9PVT1VSy9PPVJVSyvsCs5c4tITD9elgI0BCN5CnZ0O; SessionID=DBDFDKDGTI

The same LTPA Token and session ID for entries where the save document worked, as well as where it failed.

Unsurprisingly, they have then refreshed the session by closing the web page and going back in to it following the error and they get a new LTPA token and session ID.

The LTPA Token validity setting of 30 minutes I refer to is defined by our admins in a Web SSO Configuration document for the server, in the "Server\Internet Sites" view in the NAB. It's the Token Expirations (Minutes) setting. Am I completely misunderstanding this setting - should the timeout be renewed everytime the user does a full submit to the server? Or is something else going on here?

asummers
  • 177
  • 1
  • 15
  • +1 Have the same problem with SSO - tokens randomly expire within few seconds/minutes after last activity. Discussed with IBM folks, but no solution yet. Please, post your find here. – Frantisek Kossuth Nov 08 '12 at 12:20

1 Answers1

3

I don't think the token is renewed. It times out no matter if the user is active or not.

You could increase the expiration timeout to a reasonable high value and then add a lower minimum timeout to ensure that sessions doesn't timeout too soon.

Here's an example where expiration is set very high and timeout is set to 2 hours: enter image description here

Per Henrik Lausten
  • 21,331
  • 3
  • 29
  • 76
  • Thanks for the suggestion. For whatever reason there seems to be some reluctance to change these settings at the moment. It has also been pointed out that the Idle Session Timeout is actually ignored when SSO Authentication with Kerberos is in use - any ideas on that? – asummers Nov 08 '12 at 11:34
  • I don't know the details of SSO with Kerberos – Per Henrik Lausten Nov 08 '12 at 12:15
  • Ok they have changed the setting to 600 minutes for the token Expiration and that seems to have solved the issue - we're not getting 401 errors every 30 minutes any more. I always thought that the token would be renewed with every successful post to the server within the Expiration timeout but that doesn't appear to be the case. Thanks for pointing this out ! – asummers Nov 08 '12 at 15:51
  • 2
    Renewing a token is an expensive operation, so it is a simple expiration timer, not an inactivity timer. – Richard Schwartz Nov 09 '12 at 05:56