Timeout management

Introduction

Timeout management in Joget plays a important role in securing your application by automatically logging users out after a specified period of inactivity. Joget provides two types of session timeouts: soft timeout and hard session timeout. These options allow you to manage user sessions effectively, ensuring security while maintaining usability.

How does it work?

Joget's session management includes the following features:

• Soft Timeout: Logs users out after a period of inactivity, but keeps the session alive if the user is still actively working within the browser.
• Hard Session Timeout: Forces a logout after a predetermined period, regardless of user activity.

You can configure these settings to suit your application’s security requirements. Additionally, you can redirect users to a specific landing page after a session timeout.

Soft timeout

The soft timeout is set to 30 minutes by default, meaning that if there’s no user activity within this period, the session will end.

To change the soft timeout:

1. Go to System Settings > Directory Manager Settings.
2. Go to Select Plugin to choose Security Enhanced Directory Manager and click the blue Select button.
   
3. Check the box Allow Session Timeout (Inactivity Timeout).
   
4. To change the soft timeout period, open web.xml in the apache-tomcat-x.x.xx\conf\ directory and change the time in the session-timeout tag.
   

   <session-config>
    
   <session-timeout>30</session-timeout>
    
   </session-config>

Using the default directory manager

1. While the browser window is still open, the session will remain alive regardless of the web.xml session-timeout setting. This is based on the assumption that the user is still doing long-running work in the browser (e.g., building a form, etc.), so the user isn't logged out unnecessarily.
2. If the browser window is not open, then the session will timeout according to the session-timeout setting.

Using the security enhanced directory manager

1. If Allow Session Timeout (Inactivity Timeout) is unchecked, the behavior is similar to the default Directory Manager.
2. If the Allow Session Timeout (Inactivity Timeout) is checked, the session will timeout following the session-timeout setting regardless of whether the browser window is open or no.

Hard session timeout

Hard session timeout forces a logout after a specific number of hours, regardless of activity. The default is set to 8 hours, but you can change this value if needed.

To configure the hard session timeout:

1. Go to System Settings > Directory Manager Settings.
2. Go to Select Plugin to choose Security Enhanced Directory Manager and click the blue Select button.
   
3. Choose the value for Hard Session Timeout (Hours).
   

You can change the Hard Session Timeout period to a predetermined number of hours. In accordance with current best practices, Joget does not offer the option to set the timer lower than 8 hours within the app. However, if you are insistent on customizing the value, you can do so by changing a couple of values inside the database.

To customize the Hard Session Timeout period:

1. Using a database manager, query as follows:
   SELECT * FROM wf_setup WHERE property="directoryManagerImplProperties";
2. In the value column, copy and paste the data into any notepad program.
3. Search for the string "hardSessionTimeoutHours":"8" and change the value to "hardSessionTimeoutHours":"1".
4. Paste the data into the table value column and save the record.

The idle session timeout setting is an Apache Tomcat feature, not a Joget feature. For more information on the idle session timeout setting in Apache Tomcat, see How to Configure Session Timeout in Tomcat?. From other users' experiences, some timeout issues may have been caused by some web proxy software and were resolved after the client switched to Apache web proxy.

Landing page after session timeout

To redirect users to a specific page after a session timeout:

1. Go to Settings > General Settings > Landing Page.
2. Enter the URL where you want to redirect users after their session expires.