Setting user session timeout
Starting in IBM® TRIRIGA® Application Platform 4.0, TRIRIGA introduces the user session timeout. This feature is a more granular approach to user timeouts, which are managed by the TRIRIGA platform. This TRIRIGA user session timeout is different from the application server timeout, and must be set to a value less than or equal to the application server timeout to function properly.
Contents
Administrators can take advantage of two types of TRIRIGA user session timeout settings: (1) A global user session timeout that is set in the IBM TRIRIGA Administrator Console, and (2) one or more timeout user groups to which users can be added that can override the global timeout setting in the Administrator Console.
If you enable the Auto Refresh option and enter the Refresh Time for a portal section or query section, then this setting keeps the session active.
Global user session timeout
You can set the global user session timeout in the IBM TRIRIGA Administrator Console as follows: field. The default field value is 30 minutes. If this field is set to a value greater than the application server timeout value, then a warning will be displayed in the Administrator Console.
In the TRIRIGA User Session Properties section, an option named Enable Unique User Session Timeout is available. To give some background, TRIRIGA supports multiple logins on different devices by the same user. Each one of these logins creates a new TRIRIGA user session. By default, all of these sessions will stay active if at least one is active. If this option is selected, then each one of these user sessions will be handled separately when measuring activity. If any one session by the user is not active, it can expire while the other sessions by the same user can still remain active.
Another option named Disable User Session Timeout is also available. If this option is selected, then all TRIRIGA user session timeout functionality will be disabled. In other words, this option will set the timeout behavior back to where it was prior to Application Platform 4.0.
Timeout user groups
You can create one or more Timeout User Group records to specify a timeout that overrides the global timeout setting in the Administrator Console. In IBM TRIRIGA Application 11.0, you can access the Timeout User Group Manager from the TRIRIGA Global Menu as follows: .
Users who are added to a Timeout User Group will have their sessions expire according to the value specified in the User Session Timeout in Minutes field of that group. As a result, the TRIRIGA platform will ignore the global timeout value that is set in the Administrator Console. If the timeout value specified for a Timeout User Group is greater than the application server timeout value, then a warning will be displayed in the Administrator Console.
If you don’t have Application 11.0, Application Platform 4.0 provides the following navigation item: Master Detail - Timeout User Groups. You can apply this navigation item to any navigation collection. For consistency with Application 11.0, you can apply it to the TRIRIGA Global Menu navigation collection as follows: .
One known limitation is that users can be added to multiple Timeout User Groups. In this scenario, the largest of the timeout values will be honored.
Session timeout dialogs
Session timeout. The Session timeout warning dialog will appear 2 minutes before the user session expires. The dialog will display 2 buttons: Log out and Stay logged in.
Login to continue. The Login to continue dialog will appear if the user session expires on non-SSO environments. The dialog will provide a Password field. Click the Continue button to close the dialog and stay in the same screen that you were in before the timeout occurred without losing unsaved data. Otherwise, click the Switch user button to return to the main login screen.
Session expired. The Session expired dialog will appear if the user session expires on SSO environments. Click the Renew session button to re-authenticate with your SSO credentials. If necessary, you will be prompted to re-authenticate with the SSO server. Upon successful authentication, the dialog will close, and you will stay in the same screen that you were in before the timeout occurred without losing unsaved data. Otherwise, click the Switch user button to return to the main login screen.
The above dialogs will only be displayed on the browser window that contains the main IBM TRIRIGA navigation.
The actual user session timeout might be delayed by several minutes because the back-end process that checks if the user inactivity limit has elapsed, runs every 10 minutes. The timeout might encounter an additional 3-minute delay because a related back-end process that records the user activity timestamp, runs every 3 minutes.
User session logging
To view the log details in the security.log file when either a TRIRIGA user session timeout occurs or an application server timeout occurs, you can enable the following logging categories in the Platform Logging page of the IBM TRIRIGA Administrator Console: Security Logging and HTTP Session Termination Logging.
If a TRIRIGA user session timeout occurs, a logging message similar to the following will appear in the security.log file:
AuthenticationDAO.stopUserSession: For user: [1234] Log-off type:
[TRIRIGA USER SESSION TIMEOUT]
If an application server timeout occurs, a logging message similar to the following will appear in the security.log file:
TririgaIBSHttpSessionListener.sessionDestroyed: Session ID: [123456789]
For user: [1234]; Application Server Session Inactivity Timeout - Time
since server session expired: [89000ms]