I recently spent some time investigating a client’s reports of unexpected behavior with the duration of browser sessions while testing an application on a test server. From time to time, they were required to login even while actively using an application. In this post, I’ll highlight the difference between an idle session timeout and an LTPA token expiration, which serve different purposes and, in the latter case, may cause frustration if not understood.
User Expectations
Most users are familiar with the concept of a browser session timing out if left idle for too long. In this case, websites will generally inform the user that a session has expired and require the user to login again in order to continue.
But users will generally not expect to be required to login again while actively using an application, so it’s important to understand why it might happen and what you can do about it.
Idle Session Timeout – Server
The Domino server document has a setting to define how long it will take for the session to be automatically logged out due to inactivity. This is configured on the server document: Internet Protocols... > Domino Web Engine > Idle session time-out
The default is 30 minutes.
Idle Session Timeout – Application
There is also an application-level setting for the session timeout, which can be found on the General tab of Xsp Properties.
This sets the xsp.session.timeout property.
xsp.session.timeout=30
LTPA Token Timeout
If single sign-on is configured to share the session between multiple servers, a Web Configuration document will define the SSO parameters.
The key setting in this case is the Expiration (minutes) field on the Basics tab of the document. This defines the lifespan of the LTPA token that is issued when the user logs in.
The important thing to understand is that this has nothing to do with how active or idle the session is.
This is a fixed length of time for which the key will be valid. Once it expires, the user will be prompted to login again. This can be very confusing to a user who is actively using the application!
Improving the Experience
There are a number of ways to implement controls to keep a session from timing out due to inactivity, but they will have no effect on the expiration of the LTPA token.
In order to prevent users from being frustrated with frequent logouts, some very smart people including Per Lausten and Sean Cull, have written about this in years past and have recommended setting the token expiration to a much larger number in order to prevent unexpected behavior. The idle session timeout can still do it’s job dealing with inactive sessions (and you as a developer can programmatically work to keep them alive if desired).
