...
| Tip |
|---|
Note that the session cache is not where you configure timeout policy, because that may be determined on an application-specific basis. So that's actually set via the |
...
The feature is enabled by supplying a list of attributes to save and transfer between nodes using the persistedAttributes setting. The feature also requires that a <DataSealer> element be defined in the configuration. This supplies the key(s) used to encrypt and decrypt the cookies, and the security of the SP as a whole is severely compromised if those key(s) are compromised. Revoking them is however a simple matter of deleting or editing a file.
...
An additional limitation is a lack of session timeout. Sessions continue to expire after a fixed period of time from creation (the "lifetime" of the session) but any time a session is recovered, it is assumed to be valid with respect to timeout policy and is marked with that time as the last time used, so a client can repeatedly bypass any timeout setting by moving between nodes (admittedly this may be impossible for the client to control easily).
...