LTPA timeout and session management

The following sections describe different aspects of session management for the Control Center.

LTPA timeout

An administrator might want to extend the amount of time a user can be inactive before the session for the user expires. As an example, the reference implementation is configured to extend the amount of time before a user is logged out due to inactivity.

To prevent user tokens from expiring, regardless of the session activity for the web container, the LTPA timeout value for forwarded credentials between servers parameter setting was increased for the reference implementation. In addition to increasing the LTPA timeout, the reference implementation sets the InvalidateOnUnauthorizedSessionRequestException session management custom property such that the session manager invalidates the session in response to unauthorized requests. Invalidating the session causes the client to be redirected to the login page. For more information about the InvalidateOnUnauthorizedSessionRequestException custom property, see the WebSphere® Application Server documentation.
Note: Your WebSphere administrators need to evaluate the Lightweight Third Party Authentication (LTPA) timeout value and session management properties to ensure that they meet any necessary security requirements before they are used in a production environment.

HTTP session affinity

The Control Center requires HTTP session affinity. After a connection is made from the browser, the same server must be used for all subsequent requests over the life of the HTTP session.

Session persistence

Session persistence (distributed sessions) is not supported by the Control Center.