General question re session timeouts

Similar Messages

• Session timeout skillbuilders question

  Application security attributes settings
  Session Timeout  Maximum Session Length in Seconds   60
  On session timeout direct to this URL   <url>
  Maximum Session Idle Time in Seconds   45
  On session idle time timeout direct to this URL   <url>
  Session timeout component settings
  Name: SkillBuilders Session Timeout (1.0.1) [Plug-in]
  *Session Timeout Action  Alert
  *Session Timeout Message  Application will timeout shortly
  *Mask Browser Screen on Timeout  No
  *Session Idle Warning  Yes
  *Session Idle Title      Idle message Warning ( I cannot see this displayed but when I copied that area this came)
  *Session Idle Message    This application session will expire shortly! If you want to continue working please click ok on the alert.
  *Show Warning Seconds Before  40
  *Keep Session Alive           Yes
  So the moment I start my application and the login page is displayed i get the idle message displayed on the screen.  So my application should timeout in 1 minute. I should be alerted after 45 seconds.
  Are the settings correct?
    Murali

  Please keep in mind that maximum session length and idle time are two different things. The following configuration should satisfy your requirements
  Configure the following application attributes:
  "Maximum Session Length in Seconds" =  ??? -- you did not specify how long your session can last, if left blank it will revert to the instance level setting which defaults to 8 hours
  "Maximum Session Idle Time in Seconds" = 10800 -- the maximum amount of time the user as to interact with the server again
  Configure plugin settings:
  "Session Timeout Action" = ALERT
  "Session Timeout Message" = <your message>
  "Session Idle Warning" = Yes
  "Session Idle Title" = <your title>
  "Session Idle Message" = <your message>
  "Show Warning Seconds Before" = 900 -- 15 min x 60 seconds
  "Keep Session Alive" = Yes -- this will renew the session if the user interacts with the idle warning
  Please let me know if you have any questions.
  Good Luck!
  Tyson

• Session Timeout Question in EME

  If I login to eManager Web and instead of logging out I just close the browser will I be logged out? Will the license be released? What is the session timeout for this and is it possible to set this value?

  If you close the browser in e-Manager Enterprise Web instead of logging out there is a TimeOut that will release your license. This can be seen and is reported on in the e-Manager logs. By default the session TimeOut value is 30 minutes. You can find this and/or change this value by opening "<installdir>\Empirix\EmpAppServer\server\default\deploy\jbossweb-tomcat55.sar\conf\web.xml" in a notepad. Once the file is open, go the the ?Default Session Configuration? Section. Here you can change the TimeOut value. You will then need to save the file and restart the Empirix Application Service. The idle sessions are retired after the specified timeout is reached and the licenses are also checked upon this value. I hope this answers your questions.

• Hi I have two questions. I am using NAS 4.1 and was wondering is it possible to set a different session timeout for different users? How is the session timeout set? Thanks, YS

   

  <i>I am using NAS 4.1 and was wondering is it possible to set a different session timeout for different users?</i>
  Um, there is no such thing as NAS4.1.
  I'm assuming that you mean NAS4.0 (maybe NAS4.0sp1?). If so, then the session timeouts are specified in the session section of the NTV configuration files.
  AFAIK, you can specify session timeouts on a per user basis.

• How to configure a session timeout for DynPro applications?

  Hello,
  1. Where can I configure the session timeout of the DynPro applications?
  2. Can I configure a session timeout per application and how do I do that?

  Hello Heidi,
  I am not familiar with this property:
  1. Where can I configure it?
  2. Does it apply to every application at the portal?
  3. What if I would like to configure just one application?
  By the way, I have noticed that the DynPro application has an expirationTime property. The documentation says this:
  Specifies the lifetime in seconds of a Web application on the server before the Web application is terminated by the server. The value of the DefaultExpirationTime parameter of the system configuration is used as the default value.
  My question is if someone tried to use this property?
  Message was edited by: Roy Cohen

• What is the difference between Session timeout and Short Session timeout Under Excel Service Application -- session management?

  Under Excel Service Application --> session management; what is the difference between Session timeout and Short Session timeout?

  Any call made from the API will automatically be set to the “Session Timeout” period, no matter
  what. Calls made from EWA (Excel Web Access) will get the “Short Session Timeout” period assigned to it initially.
  Short Session Timeout and Session Timeout in Excel Services
  Short Session Timeout and Session Timeout in Excel Services - Part 2
  Sessions and session time-outs in Excel Services
  above links are from old version but still applies to all.
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

• Session Timeout Thoughts

  I saw a post from awhile ago that you can't change the session timeout in iTunes U. Is this still true?
  Our users are having timeout issues and we have an unfortunately lengthy login process to get back into iTunes U so I had some thoughts on the Site Login URL.
  We use a portal to authenticate our users who then click an SSO link to take them to a jump page that assembles their credentials and generates an SSO link into iTunes U. I'd really like to avoid having to go back through the portal to get users back into iTunes.
  What if, instead of passing just the destination back to the site login URL, iTunes U passed a full SSO link. This way, I can just point my site login URL to the jump page. The jump page can then parse the SSO link to verify the user's credentials and just create a new SSO link right back into iTunes U, almost transparently to the users.
  Are there any better options to solve this problem? I know this would require some modification on the iTunes U side, but it seems like it'd solve some problems.
  Thanks
  Jason

  Hi Jason,
  I don't think I did a good job at explaining what I'm trying to get at. Sorry, let me try another way.
  The problem is not one of security necessarily. If you get a signature back from Apple, sure, your jump site can verify that Apple sent you warnings about sessions that are about to timeout. The problem is that Apple cannot distinguish our local users from the identity and credentials we send. It might seem that way in specific instances (because some sites have an elaborate identity/credentialling scheme), but it is not true in the general case. It is entirely possible that scores of people can share exactly the same identity/credential info ... that is totally legal in the iTunes U world (and why I urge people not to think of "users" and "accounts" whenever they think iTunes U). For example, lessay I have a site that has a very simple credentialling scheme, say ...
  Administrator@urn:mace:itunesu.com:sites:uic.edu
  Instructor@urn:mace:itunesu.com:sites:uic.edu
  Student@urn:mace:itunesu.com:sites:uic.edu
  Authenticated@urn:mace:itunesu.com:sites:uic.edu
  Unauthenticated@urn:mace:itunesu.com:sites:uic.edu
  All@urn:mace:itunesu.com:sites:uic.edu
  Further, let's say that I "anonymize" my users by sending no identity info to Apple. So if Apple sends my jump site the following:
  credentials=Student@urn:mace:itunesu.com:sites:uic.edu
  identity=
  time=123456789
  signature=stringwith_bunch_ofhex
  which one of my local users does that belong to? ... whose session should I recredential? Sure, you can make a complex credentialling scheme that narrows usage down to the specific person ... but I would urge you to think of credentials as a kind of "hall pass" ... a token that lets you into a specific place within iTunes U ... and not as a way to identify someone. Remember that Apple has to use a system that applies in the general case and what I have above is totally legal. If I want, I can obfuscate my users to be certain that only -I- know who's accessing iTunes U.
  Recall, too, the way that iTunes U is setup. Your transfer CGI sends a URL to Apple and Apple sends you back loads of HTML/JavaScript/CSS in return. Your transfer CGI passes all of it back to the end user. The heart of the HTML Apple sends is this itmss: redirect:
  itmss://deimos.apple.com/WebObjects/Core.woa/BrowsePrivately/uic.edu?
  credentialKey=1474615910&identity=2253747564656e7422203c5374756
  4656e74407569632e6564753e202853747564656e7429205b305d&time=
  1203747692&signature=32d169daa7a282f8c7efa7d4f7f7fb0dceaac507c26
  f205123473f09d6b9ef50&x=true&ignore.mscache=8974210
  That is how Apple talks to your end users. The session is private ... between Apple and your end users. The only way for you to know which session belongs to which local user is for Apple to send you that itmss link and say, in effect, "the session associated with this link is about to time out". Your jump site would have to maintain a connection between itmss links, your local users, and the credentials associated with both. But if your site is -already- caching local user/credential info, there is no need for Apple to send your creds/identity back to you.
  As ever, if my understanding is itself cloudy, I bow to Duncan. He knows all and I am happy to be corrected. Like you guys, I am here to learn.

• Session Timeout (secs) WiSM's

  Hi All,
  Probably an easy question here.
  I am just wondering what I should set my Session Timeout (secs) on my SSID's to int the WiSM's? Mine is currently set to 1800secs, but I sort of want to change it to 300 secs so that when people walk out of a particular building, they will need to re-associate and get a new IP address (If that makes Sense!)
  Thanks,

  There is no exact definiton for session timeouts. In your case it could be 900 secs[15 mins] so hat its not too early session timeouts. Normally users need to reauthenticate if they move to different access points.

• "Session Timeout" on WebMail Today on a Win7 NetBook!!^​$*^%^*#(*

  I'm generally a low-maintenance Verizon home phone and dsl client but this is a major PITA.  Wondering if it's my OS or browsers or the crappy new netmail site is just not working today.
  Get the "Session Timeout" on everything associated with mail. Can access my home phone and dsl account profiles but zip on netmail on the "new" or even  "classic" views.  Get the pop-up to log back in and I do so, but NADA.  Cleared cookies and history frlom both Firefox and IE8 and restarted. Disabled Norton 360.  Nothing works.
  I don't access netmail often, but I am on a biz trip this week.  It's not the server.  I can send/receive on this account on both an iPhone and the work Blackberry and just did test msgs on both a few minutes ago.  But I need the netbook to send a couple of large word and excel files.
  So for my 1st post I am thinking about raising the **bleep** flag on Verizon since 2 calls and a chat runaround got me nowhere today. They are basically indifferent or uninformed.
  So are there any issues with Win7 (mine is still the starter version on the netbook) or is the site just down today?  Or am I an idiot missing something that's very obvious ? Which is entirely possible.
  Trout

  I have been having the same problem.  Never happened until a few months ago, and now happens all the time - once it times out once, that's it for the rest of the day, every subsequent login is immediately logged out again.
  Can anyone explain to me the purpose of having "the community" ask each other how to solve this problem, when clearly it is a Verizon website issue?

• Session timeout = 0 in sip.xml causes app session to expire instantly

  Hi
  I used 0 as the session timeout value by specifying in sip.xml. According to the JSR, 0 or less value for the session timeout implies session will never expire.
  However the session times out as soon as call is executed.
  <session-config>
  <session-timeout>0</session-timeout>
  </session-config>
  Thanks
  Ruchir

  Hi,
  A session must always expire eventually - it is impossible to practically reserver resources for a session indefinitely. The general interpretation of a "0" value is not that the session will be maintained indefinitely, but that it will be expired by the container based on the container's management of resources. It it not advisable to attempt to define sessions that will never expire in any case.
  BR,
  -Mike

• Session Timeout and Url Redirect in BlazeDS?

  We have a JSF2 Webapp and Flex 4 integreated.
  Question
  1. How can we pass the parameters in web.xml to make FLEX4 redirect to login page when the session timeouts instead of giving a AMF Communication Error?
  Thanks,
  User.

  hi, i am also struggling with the same problem, have you got any solution

• How to check and change the dafault session timeout of the Portal?

  Hello,
  When leaving a portal page open without using it for a certain amount of time and then accessing it again the Session times-out.
  Where can I check and change this default time-out time in case I would like to extand it for the end users?
  Roy

  Hi Roy,
  Session timeout includes multiple settings (J2EE setting and SSO setting at User Management).
  Defining the Timeout in J2EE Session
         1.      Open file web.xml (path depends on the version of EP6.0. If it is based on NW04, then
  ..\cluster\server0\apps\sap.com\irj\servlet_jsp\irj\root\WEB-INF
         2.      Enter a value in minutes under <session-timeout>. The value should roughly correspond to the length of a synchronization cycle. The default is 30 minutes.
  After a successful login, it receives a SSO ticket which is valid for longer duration (generally 8 hrs, default which you can changed using  "System Admin" as mentioned by Yoel.
  Thanks,
  Swapan

• In APEX clicking the hyper link doesn't trigger session timeout page

  Hi All,
  I have a question about the session time out in APEX application. I have created a simple APEX application. In the SQL report region section, i have code like this:
  SELECT DOC_Name, DOC_URL,
  '<a href="' || DOC_URL || ' target="_blank"/">Download file</a>' pdf_link
  FROM test_table
  where emp_number =00010001
  When user clicks on the hyper link, it will display the destination page to user(for example if DOC_URL = 'http://forums.oracle.com', it will display the oracle forum page in a new browser).
  But the issue is that, after user's session timeout (I set for 240 seconds through Shared Components>Edit Security Attributes, i set max the session timeout for example 240 seconds), when i click on this hyperlink, it doesn't trigger my session timeout page and it still displays the page (oracle forum page).
  Why in APEX clicking the hyper link doesn't trigger session timeout page after the user session timeout???
  how to implememt or fix to trigger the session timeout page after clicking on the hyperlinks?
  (BTW, our APEX version is 3.2)
  Thanks!

  Hi Lily,
  the reason for that behavior is that APEX is not involved anymore if you click on an external link. That's completely handled by your browser.
  To involve APEX timeout handling you could redirect to a specific page in your application which performs the final redirect.
  For example:
  1) Create a new page 999
  2) Create hidden page item P999_URL
  3) Create a before header PL/SQL process with the following source
  owa_util.redirect_url('http://'||:P999_URL);
  apex_application.g_unrecoverable_error := TRUE;If you want to embed a link, create a link to page 999 and set the page item P999_URL to forums.oracle.com
  You could also add a white list into the above code to verify that you are just redirecting to valid URLs, so that nobody is using your trusted application URL for phishing attacks.
  Hope that gives you a direction
  Patrick
  Regards
  Patrick
  My Blog: http://www.inside-oracle-apex.com
  APEX 4.0 Plug-Ins: http://apex.oracle.com/plugins
  Twitter: http://www.twitter.com/patrickwolf

• ADF Faces : session timeout best practice

  hi
  I made these small modifications to the web.xml file in the SRDemoSample application:
  (a) I changed the login-config from this ...
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>infrastructure/SRLogin.jspx</form-login-page>
        <form-error-page>infrastructure/SRLogin.jspx</form-error-page>
      </form-login-config>
    </login-config>... to this
    <login-config>
      <auth-method>BASIC</auth-method>
    </login-config>(b) I changed the session-timeout to 1 minute.
    <session-config>
      <session-timeout>1</session-timeout>
    </session-config>Please consider this scenario:
  (1) Run the UserInterface project of the SRDemoSample application in JDeveloper.
  (2) Authenticate using "sking" and password "welcome".
  (3) Click on the "My Service Requests" tab.
  (4) Click on a "Request Id" like "111". You should see a detail page titled "Service Request Information for SR # 111" that shows detail data on the service request.
  (5) Wait for at least one minute for the session to timeout.
  (6) Click on the "My Service Requests" tab again. I see the same detail page as in (4), now titled "Service Request Information for SR #" and not showing any detail data.
  question
  What is the best practice to detect such session timeouts and handle them in a user friendly way in an ADF Faces application?
  thanks
  Jan Vervecken

  Hi,
  no. Here's the content copied from a word doc:
  A frequent question on the JDeveloper OTN forum, and also one that has been asked by customers directly, is how to detect and graceful handle user session expiry due to user inactivity.
  The problem of user inactivity is that there is no way in JavaEE for the server to call the client when the session has expired. Though you could use JavaScript on the client display to count
  down the session timeout, eventually showing an alert or redirecting the browser, this goes with a lot of overhead. The main concern raised against unhandled session invalidation due to user
  inactivity is that the next user request leads to unpredictable results and errors messages. Because all information stored in the user session get lost upon session expiry, you can't recover the
  session and need to start over again. The solution to this problem is a servlet filter that works on top of the Faces servlet. The web.xml file would have the servlet configured as follows
  1.     <filter>
  2.         <filter-name>ApplicationSessionExpiryFilter</filter-name>
  3.         <filter-class>
  4.             adf.sample.ApplicationSessionExpiryFilter
  5.         </filter-class>
  6.         <init-param>
  7.             <param-name>SessionTimeoutRedirect</param-name>
  8.             <param-value>SessionHasExpired.jspx</param-value>
  9.         </init-param>
  10.     </filter>
  This configures the "ApplicationSessionExpiryFilter" servlet with an initialization parameter for the administrator to configure the page that the filter redirects the request to. In this
  example, the page is a simple JSP page that only prints a message so the user knows what has happened. Further in the web.xml file, the filter is assigned to the JavaServer Faces
  servlet as follows
  1.     <filter-mapping>
  2.             <filter-name>ApplicationSessionExpiryFilter</filter-name>
  3.             <servlet-name>Faces Servlet</servlet-name>
  4.         </filter-mapping>
  The Servlet filter code compares the session Id of the request with the current session Id. This nicely handles the issue of the JavaEE container implicitly creating a new user session for the incoming request.
  The only special case to be handled is where the incoming request doesn't have an associated session ID. This is the case for the initial application request.
  1.     package adf.sample;
  2.     
  3.     import java.io.IOException;
  4.     
  5.     import javax.servlet.Filter;
  6.     import javax.servlet.FilterChain;
  7.     import javax.servlet.FilterConfig;
  8.     import javax.servlet.ServletException;
  9.     import javax.servlet.ServletRequest;
  10.     import javax.servlet.ServletResponse;
  11.     import javax.servlet.http.HttpServletRequest;
  12.     import javax.servlet.http.HttpServletResponse;
  13.     
  14.     
  15.     public class ApplicationSessionExpiryFilter implements Filter {
  16.         private FilterConfig _filterConfig = null;
  17.        
  18.         public void init(FilterConfig filterConfig) throws ServletException {
  19.             _filterConfig = filterConfig;
  20.         }
  21.     
  22.         public void destroy() {
  23.             _filterConfig = null;
  24.         }
  25.     
  26.         public void doFilter(ServletRequest request, ServletResponse response,
  27.                              FilterChain chain) throws IOException, ServletException {
  28.     
  29.     
  30.             String requestedSession =   ((HttpServletRequest)request).getRequestedSessionId();
  31.             String currentWebSession =  ((HttpServletRequest)request).getSession().getId();
  32.            
  33.             boolean sessionOk = currentWebSession.equalsIgnoreCase(requestedSession);
  34.           
  35.             // if the requested session is null then this is the first application
  36.             // request and "false" is acceptable
  37.            
  38.             if (!sessionOk && requestedSession != null){
  39.                 // the session has expired or renewed. Redirect request
  40.                 ((HttpServletResponse) response).sendRedirect(_filterConfig.getInitParameter("SessionTimeoutRedirect"));
  41.             }
  42.             else{
  43.                 chain.doFilter(request, response);
  44.             }
  45.         }
  46.        
  47.     }
  This servlet filter works pretty well, except for sessions that are expired because of active session invalidation e.g. when nuking the session to log out of container managed authentication. In this case my
  recommendation is to extend line 39 to also include a check if security is required. This can be through another initialization parameter that holds the name of a page that the request is redirected to upon logout.
  In this case you don't redirect the request to the error page but continue with a newly created session.
  Ps.: For testing and development, set the following parameter in web.xml to 1 so you don't have to wait 35 minutes
  1.     <session-config>
  2.         <session-timeout>1</session-timeout>
  3.     </session-config> Frank
  Edited by: Frank Nimphius on Jun 9, 2011 8:19 AM

• Portal session timeout judge

  Hi everybody,
  I have a question about portal session timeout. Now we have a javascript for session timeout in Masthead iview, which can increase the time for the active user. It uses EPCM to rase the event. But our page has four iveiws, and there is a iview form that use the javascript to submit the request, and don't refresh the whole page, so it can't call our session timeout javascript to increase the time.
  Whether we can call the javascript from other iviews? Or do we have other ways to do the session timeout judge and increase the time by user's activity in sap portal ?
  Thanks

  Hi,
  Try to subscribe to EPCM events on all navigations in your code, which will in turn update the timer
      EPCM.subscribeEvent("urn:com.sapportals:navigation", "Navigate", pop);
      EPCM.subscribeEvent("urn:com.foo.bar.myapp", "myEvent", pop);
  You can also call the update timer method (in masthead) from your I view form code using AJAX, which will be more simpler.
  Regards,
  Santhosh