2 Replies Latest reply on Feb 17, 2016 8:23 AM by Jon Scholten

    User session should be timed out if the user is idle for 15 minutes

    Prasanth Pavan



      I want to create a rule set which should timeout the user sessions if the user is idle for 15 minutes.


      and i have a few quires on this:


      • if we want the user to be timed out if the user is idle more than 15 minutes, we may have to track each and every user session. This may create more log files for the all the users?


      Kindly clarify and share the rule set for idle timeout.




        • 1. Re: User session should be timed out if the user is idle for 15 minutes



          the problem is that HTTP is not session based, there is not a session between the user and the MWG. THe user simply makes single requests from time to time which are authenticated and processed by MWG.


          Theoretically it is possible to remember in PD Storage when a user has sent a request the last time. By doing so it is possible to identify if the user has accessed a web site within the last 15 minutes, and to do something based on this result.


          The main question that comes up is what authentication is currently used?


          Tracking the "last request" time for every user will not create a lot of log data but it will impact the overall performance as MWG has to remember a piece of information for every user and for every request. This may be possible for a small group of users (like "guest" users), but not likely for everyone.


          Alternatively it could be possible to use cookie authentication and try to refresh the cookie expiration time from time to time.




          • 2. Re: User session should be timed out if the user is idle for 15 minutes
            Jon Scholten

            HI Prasanth and Andre,


            I think we need to know what type of authentication you're using to help understand this better.


            If you're using the authentication server, this can be done using the Hard TTL for auth server with a Soft TTL using cache remaining time, see our best practice on it:

            Support Doc: Authentication Examples by Deployment Method


            This wont be an idle time by default, however magic could be worked to make it so. However most folks are happy with the rules by default.


            I prefer this over PDStorage or Cookie auth.


            Best Regards,