PASOE: oerealm/form timeout setting

Posted by bronco on 27-Mar-2020 14:23

Hi!

11.7.5 on Linux. 

I have an NativeScript app which communicates with a PASOE backend. The PAS uses oerealm/form authentication (WEB handlers). Now I'm under the impression that a login session is timing out after two hours of doing nothing.

My question is where the timeout is set. Is it a setting in oeablSecurity.properties or does it comes from the client principle (and thus the OERealm implmentation)?

cheers,

Bronco

PS. for those who know,  OERealm implementation in from SmartComponentLibrary, Consultingwerk.Web2.SmartFramework.Authentication.SmartHybridRealm

OpenEdge General - Forum
Posted by David Cleary on 27-Mar-2020 14:48

To extend the HTTP Session Timeout value, you must edit your web.xml. You’ll see a commented out chunk of XML there.
 
<!-- BEGIN: web application HTTP session controls used by Spring Security
     and the transports. -->
 
    <!-- USER EDIT: uncomment the <session-config> element below to
         control these HTTP session run-time attributes. PASOE does
                               not support a tracking-mode of URL as this is considered
                              a security vulnerability.
 
        <http-only> {true|false} Block cookie access to JavaScript
        <secure>    {true|false} Require HTTPS for transmitting cookie
        <tracking-mode> {COOKIE|SSL} How session id is communicated to client
        <session-timeout> {minutes}  How many minutes for a session to be
                    idle before deletion
    -->
    <!--
    <session-config>
        <session-timeout>30</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <secure>false</secure>
        </cookie-config>
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>
    -->
 
Session-timeout is in minutes. Let me know if you have any other questions.
 
Thanks
Dave
 

All Replies

Posted by bronco on 27-Mar-2020 14:27

Oops, it's 11.7.4 on Windows

Posted by David Cleary on 27-Mar-2020 14:48

To extend the HTTP Session Timeout value, you must edit your web.xml. You’ll see a commented out chunk of XML there.
 
<!-- BEGIN: web application HTTP session controls used by Spring Security
     and the transports. -->
 
    <!-- USER EDIT: uncomment the <session-config> element below to
         control these HTTP session run-time attributes. PASOE does
                               not support a tracking-mode of URL as this is considered
                              a security vulnerability.
 
        <http-only> {true|false} Block cookie access to JavaScript
        <secure>    {true|false} Require HTTPS for transmitting cookie
        <tracking-mode> {COOKIE|SSL} How session id is communicated to client
        <session-timeout> {minutes}  How many minutes for a session to be
                    idle before deletion
    -->
    <!--
    <session-config>
        <session-timeout>30</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <secure>false</secure>
        </cookie-config>
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>
    -->
 
Session-timeout is in minutes. Let me know if you have any other questions.
 
Thanks
Dave
 

Posted by bronco on 27-Mar-2020 15:07

This will do :-)

Thanks Dave!

Posted by bronco on 27-Mar-2020 16:02

Well, one question. The section above is commented out, so to set a timeout I uncommentit. Clear. What is the default timeout period however?

Posted by David Cleary on 27-Mar-2020 16:14

Default is 30 minutes. Please let me know if this isn’t doing what you expect.
 
Dave
 

This thread is closed