Timeout behavior in the Persona UI

When SAML SSO is enabled, the session timeout for Product Master Persona-based UI is based on the following properties.

Additionally the topic also provides information for the following.

LTPA timeout

When you log in to the Persona-based UI, you get an LTPA token by the IBM® WebSphere® Liberty. You can use this token to validate your access to the applications. The LTPA token cannot be extended or renewed, even for an active user session. As a result, your session ends after the LTPA timeout. You get logged out of the application and must provide login credentials again to get a new token. This fixed LTPA time is a security mechanism to prevent an unlimited user session, which is vulnerable to exploitation from unauthorized sources.

With the LTPA mechanism, you can lose your unsaved work. As a result, the LTPA must be set for the longest allowable time by your IT Security team according to your corporate compliance policies. The LTPA timeout is common for all applications. You can specify the LTPA timeout while you are installing the applications. You can modify the timeout by changing the settings after installation in the IBM WebSphere Liberty.

You can change the LTPA timeout as follows.

Containerized deployment
The LTPA timeout setting must be added in the Persona UI pod configuration.
In the IBM WebSphere Liberty, increase the LTPA cookies expiration timeout in the server.xml file at the /opt/ibm/wlp/usr/servers/ipm folder. The default timeout is 120 minutes.
Add the following tag to specify the timeout value as 8 hours.
<ltpa expiration="480"/>
Non containerized deployment
  1. Log in to the IBM WebSphere Application Server.
  2. Click Security > Global Security > Authentication. By default, the LTPA selected.
  3. Click the LTPA link.
  4. Under LTPA timeout setting, change the LTPA timeout value, and click Apply. The default value is 480 minutes.
  5. To save the change directly to the master configuration, click Save link.

HTTP session timeout

The HTTP session timeout settings keep your application session active while you are actively working in the session. When you access the Persona-based UI, an HTTP session is created. A session is timed out after a specified period of inactivity for better management of memory resources. Note that the active session still ends when the LTPA timeout limit is reached.

You can change the HTTP session timeout as follows.
  • In the config.json file at the /opt/MDM/mdmui/dynamic/mdmui folder. Increase the value of the timeouTS property as follows to specify the timeout value as 4 hours. The default timeout is 30 minutes.
    "timeoutTS": "14400"

Session inactivity timeout

With the session inactivity timeout countdown, you are alerted about the session timeout in advance and sudden session termination is avoided. Once the session timeout notification appears, any task that is work-in-progress is lost.

For example, if the HTTP session timeout is set to 30 minutes, the session inactivity timeout is set at 25 minutes, and the Inactivity timeout countdown is set to 5 minutes. With these settings, if a user session is inactive for 25 minutes, the application UI starts displaying countdown of 5 minutes. A link is displayed that the you can click and extend the session without logout. If you do not click the link before end of countdown, then you are logged out from the application. Note that the session still ends when the LTPA timeout limit is reached.

You can change the session inactivity timeout as follows.
  • In the config.json file at the /opt/MDM/mdmui/dynamic/mdmui folder. Increase the value of the ideTS property as follows to specify the timeout value as 3.5 hours. The default timeout is 25 minutes.
    "idleTS": "12600"
Note: The default LTPA timeout in the IBM WebSphere Liberty that hosts the application is 120 minutes. The default HTTP session timeout for the Persona-based UI is 30 minutes. Though the default values for the LTPA and HTTP session timeouts can be extended, consult your IT team to determine the appropriate timeout interval.

How do the Session and LTPA timeout work

You must set the LTPA timeout to a value greater than the Session timeout value. If a session for an application is idle for more than the Session timeout value, and if you click in the application, the application opens in the same window because the LTPA timeout is still active. However, when the session of any application is idle for a time greater than the LTPA timeout value, and you click in an application, you are logged out of the application and must log in again to access the application.

Regardless of whether a user session was active or inactive, the LTPA session expires in 480 minutes and no new session is established. You are logged out and must log in again to access the applications.

Note: If the browser tab in which the Persona-based UI is running is closed but the browser is still open, you can come back to the application without logging in again until the LTPA timeout is reached.

Best practices

To avoid loss of data or other inconveniences, follow the recommendations.

  • Before you leave your application session idle, ensure to save any unsaved changes and log out of your session.
  • Be aware of the LTPA limit set by your organization. If you work continuously in a session without idling a session, save your work and log off before your LTPA timeout limit is reached. You can log back in to the system to start a new session.
  • The Session Inactivity timeout for the Persona-based UI must not exceed the Session timeout.
  • The Session timeout must be less than the LTPA timeout.