Logging out an administrator is an important security event (in the mind of auditors).
Since it is not possible to force an admin to actively logout, we need to detect the lack of keep-alive messages from the admins browser.
- Detect time-outs of the user session due to inactivity by having this functionality as a separate web-app where the AdminGUI jsessionid cookie is not sent with the servlet poke.
- New hidden service that
- looks for sessions where the servlet poke has not taken place and destroys the related AdminGUI session.
- looks for regular timed out known sessions
- Connect Logout link to the same logout code, where the event is audit-logged
- User session timeout will result in audit log event
- User closing the browser/tab will result in audit log event and unusable session
- User pressing logout will result in audit log event