Security: Session/Timeout Management.

For a web application that provides access to highly sensitive personal financial data, how to guarantee that a session is destroyed when the browser is inactive for a maximum period.

The client application is expected to prompt a warning dialog, and automatically redirects the page to login after configurable amount of time for no response. User may have multiple tabs open across various portions of the site.

Solution/Technology

Following are the new client technology, the middle-ware, services and back-end does not need to change.

RxJS

  • RxJS is a library for reactive programming using Observables, to make it easier to compose asynchronous or callback-based code. It has built in support for handling timeout exceptions, the timeout extension method allows to terminate the sequence with an error.it provides ability to specify the period as sliding window with a time-span or an absolute time. The Timeout operator allows you to abort an Observable with an on-Error termination if that Observable fails to emit any items during a specified span of time or absolute time.

 Redux

  • Library to manage state, to help keeping tap on the browser tabs.

Angular

  • Angular components have input and output properties to allow interaction with other components. For example, a component could set up its view based on configuration it receives from its parent component and then be notified to change its appearance by an event it receives from a child or sibling component.

Design

 

design

When a login action is dispatched to middle-ware TC proxy to Siteminder, the reducer store server response and SMSESSION Cookie and applies the payload depending on the action type, and outputs the new state.

The SMSESSION cookie is used to query Siteminder for

  • The time siteminder was accessed last,
  • The time the user’s session was first established and
  • The maximum session timeout for the user.
  • The Maximum session timeout value along with

The store encompasses the whole state, the reducers return fragments of the state, to present the view actions, the user-triggered events that communicate how a given fragment of the state should change. Middleware TC is accessed on every server request to capture maximum session timeout value, which is stored and used by the timer function of RxJS library. Middleware is used for all the server interaction (the diagram above depicts only siteminder) that require asynchronous requests. The reducer takes its previous state, applies the new action to it, and returns it back.

The store is an observable, hence making the access to the application’s state reactive. An observable store also allows mix the values of several states using RxJS’s operators, which are set based on the session timeout values returned by the SiteMider.

Application Configurations:

  • Inactivity timeout for a user session can be set to 30 mins or 2 hours
    • Is set as Timeout operator to abort the Observable function in (RxJS library) to terminate user session and redirected to a timeout URL.
  • Pop up a warning to the user X seconds prior (expected X==60)
    • To popups a timeout dialog with ‘Log out’ and ‘keep Alive’ options, x seconds prior to session timeout If ‘Log Out’ is clicked, the page is redirected to a specified URL. If ‘Keep Alive’ is clicked, a keep-alive URL is requested through dispatcher. If no options is selected after another set amount of time, the page is automatically redirected to a timeout URL.

Concerns

  • None

Risks

  • Need to have a phased release plan to minimize impact to the large customer as Assumption: Designed system will impact approx 60,000 concurrent application online and mobile customers.

Assumptions:

  1. None of the following application stack , database and Ticket Server would be impacted by the proposed solution.
  • AF-Legacy Java framework
  • UAA- Spring Framework Java Stack
  • API—Data access API
  • TS(Ticket Server) – Proxy between application stack and Siteminder.

 

Advertisements