A redirect to the login page from error page would be a more reasonable solution IMO.

On Wed, Jan 4, 2017 at 3:23 PM, Robert Story <rstory@tislabs.com> wrote:
On Wed, 4 Jan 2017 14:40:06 -0500 Ravi wrote:
RN> With SSO the client sends the client secret to SSO which is stored in the
RN> session. Now when the clients session expires all the information including
RN> the client secret is lost when the session is purged by the application
RN> server.

Is the session expiration time configurable?

RN> 1. login to webadmin
RN> 2. Leave the session until session time out on engine and user is
RN> redirected to login page (the client id and secret are sent)
RN> 3. If user tries to login now everything will be fine but if user leaves
RN> and the session expires the session is purged, client secret is lost
RN> 4. User enters user name password on the screen after coming back. The
RN> login form does not have a session associated with it so the client and
RN> secret are not found and SSO needs to report that the session has expired
RN> and redirect user to welcome page.

So in step 4, can't it just start a new session instead of going to an
expiration page? Or show the page for a few seconds and then start a new
session?

Or in step 2, set a refresh on the login page that still has a session so
that when the session expires it will redirect to a login screen that will
start a new session?



Robert

--
Senior Software Engineer @ Parsons