Inactivity Timeouts

Can you a) verify that the inactivity_timeout value in the session is getting changed to the correct value, and b) that there's no underlying keep-alives keeping the session alive?

When I look in the APM reports for session variables, it shows session.inactivity_timeout is set to 10800. But I still get timed out after 15 minutes.

One other intricacy to note is that our environment is set up such that we use VIPs on different access policies but redirect the user to a single VIP for authentication, so they can access resources across different VIPs that we dont want to use the same Access Policy (we use basically empty policies for these since we're redirecting to a different vip)

So... is this an APM multi-domain configuration? SAML? Or something homegrown? Are you applying the session activity timeout to the authentication policy or to the individual application policies?

It's a single domain configuration. We basically a couple paths into the system. One that allows for rewriting through APM and the other which we do custom iRule rewriting and delivery. So the second one gets redirected to the first if there's no active session for its authentication, so the second one just handles whatever session gets assigned from our primary profile. In the primary policy, we're setting the default timeout to 15 minutes, and in an iRule that checks the user connection for intranet/internet IP and modifies the inactivity timeout (those two variables above) to 3 hrs.

I may still be missing the flow here. So there are (at least) two APM VIPs. When I say "multi-domain configuration", I'm referring to the multi-domain configuration setting in the access policy itself - which technically sets a domain cookie in a single domain. In any case, are you setting the APM session token as a domain cookie? If not, how are the two APM VIPs sharing the session information?

Sorry. We are not using a "multi-domain configuration" as it would be set in the APM policy, but we have our own homegrown iRules that set a domain level cookie so the session can be shared across the VIPs.

Okay then, it's starting to come together. So for clarity, you have two APM VIPs. When a user accesses one of the VIPs (the one with the empty policy), you redirect them to the other APM VIP where they're authenticated and issued a domain-scoped cookie, and then redirected back to the first VIP. Can you verify that the first VIP is 1) actually getting this cookie (the browser is sending it), and 2) that the VIP is actually consuming the cookie (use an iRule to enumerate a session variable collected from the other VIP).

It is getting it, as I can access applications through VIP2 after authenticating through VIP1. We also have iRules to enforce valid cookie existence for APM sessions across both VIPs.

But with regard to inactivity timeouts, do you know if setting the session.inactivity_timeout session variable is the proper way to modify APM session timeout?

do you know if setting the session.inactivity_timeout session variable is the proper way to modify APM session timeout?

It is.

If you adjust the idle timeout in the empty access policy, does that affect the timeout to this VIP?