Timeout Behavior for Applications
Different timeout settings are applied to an integrated environment to ensure secure and seamless working. To change these settings hosted customers must contact IBM Emptoris Support.
LTPA timeout
When you log in to an Emptoris application, either by using the Emptoris Strategic Supply Management Platform login page or the external SSO login page, you are given an LTPA token by the WebSphere Application Server. This is your authentication token which you can use to validate your access to the Emptoris applications. The LTPA token has a fixed lifetime and upon timeout, you are logged out of the application and must provide login credentials again to get a new token.
The LTPA token cannot be extended or renewed, even if a user is active in a session. As a result, your session ends after the LTPA time is elapsed. You need to log in again to continue working. This fixed LTPA time is a security mechanism to prevent an unlimited lease of user session, which is vulnerable to exploitation from unauthorized sources.
With the LTPA mechanism, you can lose your unsaved work. As a result, the LTPA must be set for the longest allowable time by your IT Security team as per your corporate compliance policies. The LTPA timeout is common for all applications. You can specify the LTPA timeout while you are installing the applications. You can modify it by changing the settings after installation in WebSphere Application Server (WAS) console.
For changing this property, refer to Changing LTPA Timeout.
HTTP Session timeout
The session timeout settings keep your application session active as long as you are actively working in it. When you access an Emptoris application, an HTTP session is created. It is a usability and resource management mechanism. It is designed to retain certain non-secure information about you to provide seamless experience. A session is timed out after a specified period of inactivity for better management of memory resources.
The session timeout in the 10.0.0.x and 10.0.1.x releases are not coordinated. Session timeout is set separately for each application. Due to non-coordinated sessions, in an integrated applications environment, if you move from the first IBM Emptoris application to a second application, the session timeout counter starts for the first application as it becomes idle. The session with the first application can end if its session timeout is reached. If you navigate back to the first application after its session times out, you receive a new session and are redirected to the home page of that application. Your previous data is lost if not saved before you navigated away from the first application.
In 10.0.2.x, the session timeout is coordinated in an integrated environment. Coordinated sessions keep all applications active as long as you are active in at least one of the integrated applications. Note that in all cases, the session still ends if the LTPA timeout limit is reached.
Session inactivity timeout
This setting is available only from 10.0.2 release of IBM Emptoris Suite. With the session inactivity timeout countdown, users are alerted about the session timeout in advance and sudden session termination is avoided.
For example, the session timeout is set to 30 minutes. The Session Inactivity Timeout is set at 10 minutes and the Inactivity Timeout Countdown is set to 20 seconds. With these settings, if a user session is inactive for 9 minutes, the application UI starts displaying countdown at 9 minutes 40 seconds. It shows a link to the user to click and extend the session without logout. If you do not click the link before end of count-down, then you are logged out from all the applications. In such a case, the Session Inactivity Timeout overrides the Session Timeout. In any case, the LTPA timeout overrides all other timeout settings.
The default LTPA timeout in WebSphere Application Server that hosts the Emptoris applications is 120 minutes. The default HTTP session timeout for individual Emptoris applications is 30 minutes. For version 10.0.2 and later, the default inactivity session timeout for the IBM Emptoris suite of products is 20 minutes with the default timeout count down of 20 seconds. Though the default values for LTPA timeout and HTTP session timeout can be extended, consult with your IT team to determine the appropriate timeout interval.
- Obtain a written statement from your IT team. It must specify the new approved timeout period and acknowledge acceptance of the increased security risks.
- Submit a Support ticket for the LTPA timeout extension request and attach the consent email from your IT team for reference.
How do the Session and LTPA timeout work
In an integrated environment of multiple products, you must set the LTPA timeout to a value greater than the Session timeout value.
If a session for an application is idle for more than the Session timeout value, and if you click in the application, the application opens in the same window because the LTPA timeout is still active.
However, when the session of any application is idle for a time greater than the LTPA timeout value, and you click in an application, you are logged out of the application and must log in again to access the application.
Example
Your integrated environment has the following products:- Emptoris Strategic Supply Management Platform
- Emptoris Sourcing
- Emptoris Contract Management
The Session timeout for Emptoris Sourcing and Emptoris Contract Management is 30 minutes each. The LTPA timeout is set to 480 minutes.
Your Emptoris Contract Management session is idle for more than 30 minutes while you are working in Emptoris Sourcing. When you click in Emptoris Contract Management again, you can access the application in the same window, because the LTPA timeout is set to 480 minutes and is still active.
However, regardless of whether a user session was active or inactive, the LTPA session expires in 480 minutes and no new session is established. You are logged out and must log in again to access the applications.