Interactive displacement

Edit online

The prompt-for-displacement stanza entry in the [session] stanza of the WebSEAL configuration file determines whether or not a user is prompted for appropriate action when the max-concurrent-web-sessions displace policy has been exceeded. This section discusses the interactive option (prompt-for-displacement = yes), where the user is prompted for appropriate action.

Example configuration:

  • Policy setting (global example): 
    pdadmin> policy set max-concurrent-web-sessions displace
  • Prompt setting: 
    [session]
prompt-for-displacement = yes

When a second login is attempted, the user receives the too_many_sessions.html response page. You can customize the contents of this page. The default message on this page states:

You are already logged in from another client. Do you want to terminate 
your existing login or cancel this new login request?

Terminate existing login
Cancel this new login

Action descriptions:

  • Terminate existing login

    The terminate action calls the WebSEAL /pkmsdisplace function. This function terminates the existing (original) login, creates a new session for the user, logs the user in transparently, and redirects the user to the requested URL.

    Note: The pkmsdisplace management page is a management command to the WebSEAL server. It is not represented in the object space and you cannot attach policies to it.

    The original session cookie remaining on the user's original browser becomes an old, or "stale" cookie that no longer maps to an existing entry in the WebSEAL session cache. If the user attempts to access another protected resource from the original (older) login session, WebSEAL requires authentication and responds with the standard login form.

    The OLDSESSION macro contained in this form is set to the value of "1", indicating that the request contains an old ("stale") cookie that no longer matches any entry in the WebSEAL session cache. You can use the value of the OLDSESSION macro as a trigger mechanism for a customized response to the user. This custom response could more accurately explain to the user why the session is not valid anymore.

    For further information on this feature, see Customized responses for old session cookies.

  • Cancel this new login

    The cancel action calls the WebSEAL /pkmslogout function. This function closes the current login attempt and returns the standard WebSEAL logout page to the user. The original (older) login session can continue accessing resources.

Prerequisite: Maximum concurrent sessions policy must be enabled through an additional configuration. See Enforcing the maximum concurrent sessions policy.