Idle Session Timeout is value (in minutes for Oracle Single Sign-On Server) after which user has to re-login, if they are inacte (No Activity / Idle) during that time. It is recommended to set Idle Session time out (Global Inactivity timeout) for security reasons. By default there is No Value set for Idle Session Timeout for Oracle Single Sign-On Server Server which means any application (like portal, discoverer, BI, forms & reports) using Oracle Single Sign-on for authentication will NOT logout user session because of Inactivity (This can be a Security Risk).
Default Session Time Out value for Oracle E-Business Suite 11i/R12 is 30 Minutes to know more about Idle Session timeout in Oracle Apps 11i, R12 check my previous post at Idle Session in Oracle Apps R12, 11i
Default Session Timeout for Apps 11i/R12 integrated with Single Sign-On Server
——————————————————————————–
For Oracle E-Business Suite (Apps 11i/R12) Customers integrated with Oracle Single Sign-On, default session time out for E-Business Suite/11i/R12 is 30 minutes where as no value for SSO which means If Apps User try to access apps after 30 minutes of Inactivity, user will get warning that session timeout and prompted to re-login. This will take user to new window and
user without actually typing user name password can re-login to Apps
.
The reason behind this security loop hole is that user logged out from Apps 11i/R12 after 30 minutes of inactivity but user cookie is still valid on SSO(as no idle session time out set on SSO Server) and user can re-login to apps without entering password as its authenticated by SSO server.
How to avoid this situation ?
Make Idle Session Timeout for Oracle SSO server in line with Apps 11i/R12
How to set Session Time out or Global Inactivity Timeout for Oracle Single Sign-On Server
—————————————————————————————–
1. Execute ssogito.sql from $ORACLE_HOME/sso/admin/plsql/sso (on SSO Tier) as orasso schema
2. There are few more steps on SSO server which you can find in link below
Oracle Documentation
———————————
Configuring the Global User Inactivity Timeout at Global Inactivity Timeout in Oracle SSO Server
You can subscribe to posts from this site in your mail box from right menu bar and contact me using Contact Us page on this site for feedback and things you like to see on this site.
Related Docs
357687.1 - How to Verify if mod_osso Global Inactivity Timeout (GITO) is Working
301894.1 - What is the difference between the SSO session duration timeout and the global inactivity timeout values
340708.1 - Global Inactivity TimeOut (GITO) does not work
561224.1 - Where In The Metadata Repository Database Is The GITO Cookie Name Stored?
445336.1 - SSO Global Inactivity Timeout Is Not Protecting the Customize Link
418385.1 - Interminent 500 Internal Server Error accessing Production with SSO GIT set on Test system
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment