Windchill Inactivity Timeout for sessions STIG

avillanueva · ‎Jan 22, 2025

Curious what you all feel about this requirement.

The web server must set an inactive timeout for sessions.

What values do you have and are you seeing this requirement for those implementing NIST SP 800-53? My observation with SSO, users will get re-authorized when refreshing page or selecting links. However if they execute a search or click the flyout tab after their session has been inactivated, it failed to complete the cycle. Users are grumbling that the timeout is too short and I tend to agree with them. I would not care if search worked without having to refresh page first.

jbailey · ‎Jan 22, 2025

Thought of compensating controls? Like the computer locking in that timeframe instead? An additional (probably annoyance for your end users) would be a warning popup that allows you to refresh the session when it is getting close to the limit.

avillanueva · ‎Jan 22, 2025

We do have compensating controls and computer locking already. I can ask our team if that counts. I know it does for MFA. I think a keep alive option kind of defeats the purpose of the control.

jbailey · ‎Jan 22, 2025

It might not defeat the purpose as long as it forces the user to act otherwise cancelling the session. The one I have seen gives you a warning and if you don't acknowledge the warning and tell it to keep active, it does kill the session.

Additionally, another consideration will be Creo sessions. Creo connection to Windchill would cause problems, because even if a user is active in Creo, Windchill will show no activity if you are not directly interacting with it in the WGM.