I want to create a rule set which should timeout the user sessions if the user is idle for 15 minutes.
and i have a few quires on this:
Kindly clarify and share the rule set for idle timeout.
the problem is that HTTP is not session based, there is not a session between the user and the MWG. THe user simply makes single requests from time to time which are authenticated and processed by MWG.
Theoretically it is possible to remember in PD Storage when a user has sent a request the last time. By doing so it is possible to identify if the user has accessed a web site within the last 15 minutes, and to do something based on this result.
The main question that comes up is what authentication is currently used?
Tracking the "last request" time for every user will not create a lot of log data but it will impact the overall performance as MWG has to remember a piece of information for every user and for every request. This may be possible for a small group of users (like "guest" users), but not likely for everyone.
Alternatively it could be possible to use cookie authentication and try to refresh the cookie expiration time from time to time.
HI Prasanth and Andre,
I think we need to know what type of authentication you're using to help understand this better.
If you're using the authentication server, this can be done using the Hard TTL for auth server with a Soft TTL using cache remaining time, see our best practice on it:
This wont be an idle time by default, however magic could be worked to make it so. However most folks are happy with the rules by default.
I prefer this over PDStorage or Cookie auth.