Question & Answer
Question
How long does a Cloud Pak for Security (CP4S) user logout session token last?
Cause
A logout occurs because the logout API clears the token from user cookie. This is different from the revoke API, which invalidates the token. We intend to keep them separate as there are scenarios you want to keep token alive after the user logs out. It is adopter's decision whether they want to revoke the token as part of the logout process. CP4S can call IAM
/revoke
API in this case.Answer
The {{X-ISC-JWT}} token has a lifetime of 300 seconds and is renewed at intervals of 60 seconds by the browser.
After a user logs out, CP4S deletes the {{X-ISC-JWT}} cookie from the browser and sends a request to common services to revoke the session.
Up to 300 seconds, from the last renew call, after a user has logged out the {{X-ISC-JWT}} is still valid. The user cannot renew the JWT because their session is revoked.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z000000Xat9AAC","label":"Documentation"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.9.0;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
06 May 2022
UID
ibm16579879