Aligning session timeouts
Often, identity providers have default session timeouts by which a user’s session is terminated after a certain period of inactivity. Magnolia also has a <session-timeout>
parameter that is set at ./apache-tomcat/conf/web.xml
under a default configuration section.
However, to avoid any potential issues when using the SSO module, you should align the session timeout of your identity provider (such as Okta).
Session timeout after user inactivity
The session timeout defines the allowed time of inactivity after which the user must login again. The session timeout for the Magnolia AdminCentral is bound to the session timeout of the underlying servlet container. The inactivity itself is measured from the last request to the server.
- The default timeout is
-
30
minutes.
If you’re running Magnolia locally, you can typically find this file at ./apache-tomcat/conf/web.xml
. For instance, on a Tomcat server, the session timeout is configured per web application in the web.xml
as shown below.
For more in-depth information on Vaadin session timeouts, see the Vaadin docs. |
Configure the session timeout
-
Go to
apache-tomcat/conf/web.xml
. -
Update
<session-timeout>
to your desired duration.apache-tomcat/conf/web.xml<session-config> <session-timeout>30</session-timeout> (1) </session-config>
1 The session timeout in minutes.
If you are using an Identity Provider for SSO, you’ll need to ensure that the web.xml configuration for <session-timeout> is aligned with your provider. For example, if your timeout for Okta is 2 hours (120 minutes), you should set <session-timeout> to 120 .
|