Secret Server

Hi,

I have what is hopefully an easy question. If I close a tab on Internet Explorer without loggin out of Secret Server and then open a new tab later in the day it will connect me straight through to secret server without logging in. I have a timeout value set to 15 minutes which works fine if you leave the tab logged in. I guess this is something that IIS controls but I'm not sure where to start looking.

Any help would be very much appreciated as this has been spotted by our security guys.

Thanks

Deane

Hello Deane,

There is a server-side setting for this.

First, you would need to disable the Remember Me feature from the Admin Configuration screen.

Then lower the session timeout in the web.config file. The timeout is in minutes and will look like the line below. (Updated to 5 minutes)

forms name="ihawu" protection="All" timeout="1000000" slidingExpiration="true" loginUrl="Login.aspx"

Setting this timeout will ignore the browser session, and the user will have to login after the timeout period elapses. The timeout begins when the user session becomes inactive.


best,
Scott
Thycotic Support

That worked a treat, thank you Scott. Changed the line to:-

forms name="ihawu" protection="All" timeout="15" slidingExpiration="true" loginUrl="Login.aspx"

to fall in line with the inactivity timeout of 15 Minutes. Restarted the web server, not sure if I needed to do this or not.

Deane

Secret Server 7.0 deprecates the aforementioned Web.config file change. We moved the forms node into a separate "web-auth.config" file located in your Secret Server directory. If you previously changed the timeout value in Web.config, you will have to similarly alter "web-auth.config" after updating. Future updates will not overwrite this file.

David
Thycotic Support