I want to force my users to login again after a set “inactivity timeout” period. How is WebSphere Application Server supposed to work with regard to session timeouts and LTPA timeouts?
The WebSphere Application Server LTPA token expires based on the lifetime of the login session, not based upon inactivity. Thus, the WebSphere Application Server login session will not expire if the user performs no action for some period of time. However, the HTTPSession does expire based upon inactivity. If in your application you need to expire the use of an application based on idleness, you must explicitly code this in your application. You can capture when a user arrives with an expired session (really, a new session) and force them to login again if you think this is necessary. Keep in mind that doing this undermines Single Sign On across applications. A second approach that is a slight variation on the first is to use HTTPSession.getLastAccessTime() to compute when the last client request occurred. If the time is too far into the past, you can of course fail the access and force a new authentication. Either of these approaches can be made transparent to the application code thr
Related Questions
- What AMIs does IBM provide with the integrated software stack of WebSphere Application Server, DB2 and WebSphere MQ for use on Amazon EC2?
- Does WebSphere Business Monitor support updating WebSphere Application Server to a newer fix pack level?
- Why do I need to enable SSO when using form-based login in my WebSphere Application Server application?
