Secret Server has two settings that can be used to force logout of the Secret Server session after a set amount of time.
Those settings are as follows:
Allow Remember Me
This option enables the "Remember Me" checkbox on the Login screen. When a User chooses to use "Remember Me", an encrypted cookie will be set in their browser. This will enable the User to revisit Secret Server without the need to login. This cookie will no longer be valid when the "Remember Me" period has expired. They will then have to enter their login information again. This option allows Users to remain logged in for up to a specific period of time (based on the "Remember Me" setting).
This option can be a security concern as it does not require re-entry of credentials to gain access to Secret Server. This setting only checks for page requests. This setting is not a sliding check; it calculates the time allowed based on the login time. If you are actively using the application and the setting is set for 1 hour, you will be prompted to re-enter your password after that hour. For a sliding check, see setting up ASP.NET Session below. This setting is also used by the mobile applications to compute a valid login session in the mobile application (e.g. Secret Server iPhone app). To check for an idle screen, see the "Force Inactivity Timeout" setting below.
Force Inactivity Timeout
This setting is the time limit on idle Secret Server pages (where user leaves browser open to a page in Secret Server). The difference between this setting and "Remember Me is valid for" is that this timer operates in the client browser and will redirect to the "Logout Expired" page when the timer expires. Note that this setting will not work if JavaScript is disabled in the user's browser. The objective of this setting is purely to prevent a password (or other sensitive data) staying in a browser window that is left open.
ASP.NET Session (can only be changed by Installed Edition users)
The following setting is in the Web-auth.config file in the Secret Server application directory. Changing the timeout value on this setting will change the maximum allowed time (in minutes) that the user can leave the system idle (Either closing the browser, closing the tab, or leaving the screen up) before they are forced to log in again. The redirection to the Login page will happen on the first call to the server after the timeout has expired. If either of the above two settings are set to a smaller value than the ASP.NET Session timeout then they will be used.
<forms name="ihawu" protection="All" timeout="1000000" slidingExpiration="true" loginUrl="Login.aspx" />
Tips and tricks
If "Allow Remember Me" is turned off and you close the browser completely, you will be logged out, no matter how long the "ASP.NET Session" timeout is. ("Allow Remember Me" cannot be turned off in Online Edition)
If "Allow Remember Me" is turned off and you close the browser tab running Secret Server, but have other tabs open in the browser (or have another window of the browser open), you will only be logged out after the "ASP.NET Session" timeout expires. Regardless of the value of "Force Inactivity Timeout".
"Force Inactivity Timeout" only takes effect when you leave a Secret Server page open in the browser for the set amount of time. Once the page is closed, this setting is ignored.
Article ID: 149, Created On: 3/4/2011, Modified: 12/12/2011