IBM Support

DASH Session Timeout Configuration Controls

Technical Blog Post


Abstract

DASH Session Timeout Configuration Controls

Body

Explanation of the various controls available to DASH administrators for managing how long a user can stay logged in, and when unused sessions are cleaned up.

 

Lightweight Third Party Authentication (LTPA) token timeout

The LTPA token timeout is the duration the WebSphere Application Server (WAS) trusts the user's credentials. Ten minutes before the token timeout, the user will be prompted to provide the user id and password. If the user does not enter valid credentials within five minutes after receiving the prompt, the user will be logged out. The default LTPA timeout value is 2 hours. Never set the LTPA token timeout to less than 15 minutes to avoid constant prompting for authentication.

 

Session Inactivity Timeout

A session is established for each user upon login. That session is automatically destroyed and cleaned up if there is no user activity during the timeout period. Each web application typically has independent sessions, with independent "last accessed" values.  Once the session is invalidated, the next user request will be redirected to the login page. Avoid setting extremely long session timeouts. When a user closes the browser window without actually logging out, the session inactivity timeout is responsible for automatic logoff and cleanup. 

 

Session Keep Alive

DASH ships with a feature to keep the session active for a given user as long as the user's browser is open. This feature accesses the DASH web application once per keepalive interval. The default keepalive interval is 20 minutes, and can be set to any number of minutes or -1 to disable. The value must be less than the session timeout to be effective. The feature is useful in environments where users spend long periods using web applications brought in through the web widget without interacting directly with DASH. Change the keepalive interval by stopping the server and editing the "ISC.KEEPALIVE.INTERVAL" value in the file: console_profile_dir/config/cells/cell_name/applications/isc.ear/deployments/isc/isclite.war/WEB-INF/consoleProperties.xml

 

Sample scenarios and the settings recommended to support them:

Projected Dashboard

Scenario: I want to project my dashboard on a big screen for weeks on end without requiring someone to authenticate every day.

Configuration: Set your LTPA token timeout to a value greater than your typical server maintenance window. Do not modify session timeout or keepalive values, the default values satisfy this scenario.

Consideration: Any computer left logged in and unattended will behave like the projected user dashboard.

 

Extra Secure

Scenario: My administrators are on for a very short period of time and then off to something else. I want to be sure they do not inadvertently leave themselves logged on somewhere.

Configuration: Set your LTPA token to approximately twice the time you expect your admins to be logged on, say 30 minutes. Shorten the session timeout to 15 minutes, and the keepalive to 10 minutes.

Consideration: Any user needing to use the console longer than the LTPA token timeout will be logged out, and must login again.

 

[{"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Product":{"code":"SSHPN2","label":"Tivoli"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

UID

ibm11275604