LTPA timeout and session management
The following sections describe different aspects of session management for the Control Center.
LTPA timeout
An administrator might want to extend the amount of time a user can be inactive before the session for the user expires. As an example, the reference implementation is configured to extend the amount of time before a user is logged out due to inactivity.
To prevent user tokens from expiring, regardless of the session activity for the web container, the LTPA
timeout value for forwarded credentials between servers parameter setting was increased for the reference
implementation. In addition to increasing the LTPA timeout, the reference implementation sets the
InvalidateOnUnauthorizedSessionRequestException session management custom property such
that the session manager invalidates the session in response to unauthorized requests. Invalidating the
session causes the client to be redirected to the login page. For more information about the
InvalidateOnUnauthorizedSessionRequestException custom property, see the WebSphere® Application Server documentation.
Note: Your WebSphere administrators
need to evaluate the Lightweight Third Party Authentication (LTPA) timeout value and session management
properties to ensure that they meet any necessary security requirements before they are used in a production
environment.
HTTP session affinity
The Control Center requires HTTP session affinity. After a connection is made from the browser, the same server must be used for all subsequent requests over the life of the HTTP session.
Session persistence
Session persistence (distributed sessions) is not supported by the Control Center.