Windchill Inactivity Timeout for sessions STIG

Forum|Forum|1 year ago
January 22, 2025
1 reply
778 views

Curious what you all feel about this requirement.

The web server must set an inactive timeout for sessions.

What values do you have and are you seeing this requirement for those implementing NIST SP 800-53? My observation with SSO, users will get re-authorized when refreshing page or selecting links. However if they execute a search or click the flyout tab after their session has been inactivated, it failed to complete the cycle. Users are grumbling that the timeout is too short and I tend to agree with them. I would not care if search worked without having to refresh page first.

Bus_System Administration

jbailey

18-Opal

Thought of compensating controls? Like the computer locking in that timeframe instead? An additional (probably annoyance for your end users) would be a warning popup that allows you to refresh the session when it is getting close to the limit.

avillanueva

Author

23-Emerald I

We do have compensating controls and computer locking already. I can ask our team if that counts. I know it does for MFA. I think a keep alive option kind of defeats the purpose of the control.

jbailey

18-Opal

It might not defeat the purpose as long as it forces the user to act otherwise cancelling the session. The one I have seen gives you a warning and if you don't acknowledge the warning and tell it to keep active, it does kill the session.

Additionally, another consideration will be Creo sessions. Creo connection to Windchill would cause problems, because even if a user is active in Creo, Windchill will show no activity if you are not directly interacting with it in the WGM.

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded