Configuring idle timeout
You have two options for setting idle timeout in IG/OpenIG depending on your requirements:
- JwtSession - if you use this object to store sessions, you can specify how long they are valid for. This is not strictly an idle timeout, but may be sufficient for your needs.
- HTTP session - if you require true idle timeout functionality, then you must specify session timeout settings in the web application container.
If you are using the JwtSession object to store sessions, then you can use the sessionTimeout property to specify how long sessions are valid for:
- In IG 5 and later, there is a persistentCookie property - this must be set to true to create persistent cookies and then you should set sessionTimeout to the period of time for which the JWT session is valid. Once this time period is exceeded, the cookie will expire.
- In OpenIG 4, cookies are always persistent, which means you just need to set the sessionTimeout property.
See Configuration Reference › JwtSession for further information including valid duration settings for the sessionTimeout property.
If you want true session idle timeout, you need to set the <session-timeout> property in either the web application container configuration file (global setting) or in the web.xml file (located in the WEB-INF directory) for the IG/OpenIG web application; this setting overrides the global setting.
For example, to set the timeout to 60 minutes:
<session-config> <session-timeout>60</session-timeout> </session-config>
The required global configuration file varies according to which container you use:
- Apache Tomcat™ - web.xml (located in the /path/to/tomcat/conf/ directory).
- Jetty® - webdefault.xml (located in the /path/to/jetty/etc/ directory).
- JBoss® - web.xml (located in the server/<profile>/deploy/jboss-web.deployer/conf/ directory).
There are no session expired triggers in IG/OpenIG that can automatically log you out of an associated application once the session expires. One possible solution would be to call the logout endpoint on the other application every time a user arrives at IG/OpenIG without a valid session; however, if this requires tokens or other values that IG/OpenIG won't have access to (because the user's session has expired or does not exist) then this will not be possible.
Related Issue Tracker IDs