IBM Support

Changed Behavior of Reverse Proxy [session] lifetime=0 Setting When DSC is Enabled

Question & Answer


Question

When using the following configuration with Distributed Session Cache (DSC) enabled, the session behavior has changed in recent versions:

Reverse Proxy Configuration (webseald.conf)

[session] lifetime = 0

DSC Configuration

maximum session lifetime = 3600

Prior to ISVA 10.0.8: Once logged into the reverse proxy, users would not be required to re-authenticate as long as they accessed the system periodically. Sessions would persist indefinitely with regular activity.

ISVA 10.0.8 and IVIA 11.0.0 and Later: After logging into the reverse proxy, users are required to re-authenticate once the DSC's maximum session lifetime has elapsed.

Why did this behavior change?

Cause

The behavior prior to ISVA 10.0.8 was problematic and has been corrected.

Previous Behavior:

The design assumed that [session] lifetime would always be shorter than maximum session lifetime. Under this assumption:

  1. When maximum session lifetime elapsed, the session was destroyed only in DSC
  2. The local session on the reverse proxy remained untouched and continued to exist
  3. The local session persisted according to [session] lifetime, effectively lasting until removed by LRU (Least Recently Used) algorithm

Problem with Previous Behavior:

Sessions that exceeded maximum session lifetime were no longer managed by DSC, making them unable to be shared with other reverse proxy instances.

Current Behavior:

The implementation has been changed to not rely on the previous assumption:

  1. The [session] lifetime setting now overrides the lifetime of sessions stored in DSC
  2. Only when [session] lifetime = 0 is the maximum session lifetime used
  3. New logic has been added: when a session reaches its lifetime in DSC, it is removed from DSC and simultaneously destroys the associated session on the reverse proxy
  4. As a result, even with [session] lifetime=0, local sessions are destroyed when maximum session lifetime elapses, requiring re-authentication

Answer

There are several options to address this behavior change:

Option 1: Switch Session Sharing Method

Discontinue use of DSC and switch to alternative session sharing methods, such as failover cookie authentication.

Option 2: Adjust Timeout Values

Configure larger values for either maximum session lifetime to reduce the frequency of re-authentication prompts.

Option 3: Use Non-Prompt Authentication Methods

Enable authentication methods that do not display prompts during re-authentication, such as:

  • Basic authentication
  • Certificate-based authentication

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSRN3F","label":"IBM Verify Identity Access"},"ARM Category":[{"code":"a8m0z000000cxuqAAA","label":"Security Verify Access-\u003EReverse Proxy"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0.0;11.0.1;11.0.2;11.0.3"}]

Product Synonym

ivia; isva

Document Information

Modified date:
08 May 2026

UID

ibm17272401

Page Feedback