Setting the session timeout
Servlet containers and Web applications attach a session to each user interaction with the server. By this means, they can maintain information from one request to another as a user interacts with the application. To help ensure that a user's browser is not used by an unauthorized user, the servlet container will mark a session as being invalid once a certain time has elapsed from the time when the session was last accessed. This is referred to as the session timeout period. Sessions automatically become inactive if the time from the last access exceeds the session timeout setting.
You
can set the session timeout period in the Sterling Configurator Visual Modeler web.xml configuration
file using the session-timeout element. For example, to timeout sessions
after 30 minutes, set the element to:
<session-timeout>30</session-timeout>
When setting the session timeout period, bear in mind the following:
- The longer the time out, the greater the risk that the servlet container will run out of memory. Each session takes up space in memory, and when objects are added to the session, then the memory usage increases. Often, users may not actively log out: their session will stay resident in memory until the servlet container times it out. If your Web site is likely to see heavy user traffic, then bear in mind this memory consumption when determining JVM memory settings.
- The longer the timeout, the greater security risk presented: either by an unauthorized person using an unattended Web browser or by an unauthorized person spoofing a session simply by guessing its session ID.
- The session timeout period must be sufficiently long to enable users to complete their tasks. If the tasks include activities such as using a third-party Web application or obtaining information from a third-party source, then allow for this amount of time so that a user is not inadvertently timed out of the Sterling Configurator Visual Modeler.
For these reasons, we suggest setting a session timeout value of 30 (30 minutes). However, you must assess the needs of your implementation and select a value accordingly.