I know my bank website zealously logs me out of its web border if I'm idle for more than five minutes.
You have to manually log in all over again, remember what you were doing, after that navigate back to where you were and resume your work. The browser definitely isn't the forgetful party at this juncture. As programmers, I think we be able to do better. If you configure tomcat to time out after 2 minutes, but Liferay to time out afterwards 10 minutes, tomcat will terminate the session after 2 minutes, while Liferay's JS code will try to cease it again after 10 minutes, artlessly not having any effect on the old session. That means every being request your browser sends to a web server is a newborn babe-in-arms, cruelly born into a world so as to is utterly and completely oblivious en route for its existence. If you're worried a propos session hijacking -- and you actually should be -- use a HTTPS protected connection. Far from it. The best option, short of encrypting the entire connection from end to aim via HTTPS, is to keep a tight expiration window on the assembly cookie, and regenerate them frequently.
Programming and human factors
But you configure tomcat to time absent after 2 minutes, but Liferay en route for time out after 10 minutes, tomcat will terminate the session after 2 minutes, while Liferay's JS code bidding try to terminate it again afterwards 10 minutes, naturally not having a few effect on the old session. I never added any ext for extending the session time out from web. This is serious stuff, and alleviation strategies are limited. If you arrange Tomcat and Liferay to time absent after 2 minutes, the session bidding time out after two minutes all time, through whatever mechanic comes at the outset. If anything, the server has altogether the information it needs to bear in mind you, even if you walked absent from your computer for a week. As a user, I can about pretty unequivocally that session expiration sucks. Regenerate a new cookie with timed expiration, say, every 5 or 10 minutes. But that doesn't make it right.
Answers others found helpful
They have phone calls to take, meetings to go to, other websites after that applications to attend to. But so as to doesn't make it right. If you're worried about session hijacking -- after that you really should be -- abuse a HTTPS protected connection. Liferay Celebrity Posts: Join Date: Recent Posts Addendum that there are different session timeouts: Tomcat times out sessions after a given time, e.
Increasing session timeout - Forums
You have to manually log in all over again, remember what you were doing, after that navigate back to where you were and resume your work. As a programmer, I understand why session cessation occurs. As programmers, I think we can do better. If you're anxious about session hijacking -- and you really should be -- use a HTTPS protected connection. Far from it.
Browser session expired (timeout) - how to avoid on large forms | InMotion Hosting
It's up to the server to associate the unique session identifier sent as a result of the browser with your individual character, context, settings, and preferences. As programmers, I think we can do advance. I am inundated with session timeout messages every day from a array of sources, but I've never a long time ago seen a session expiration message as of gmail, for example. Liferay Legend Posts: Join Date: Recent Posts Note so as to there are different session timeouts: Tomcat times out sessions after a agreed time, e. I wish more developers would test their web applications designed for session timeout issues. Despite all rumors to the contrary, your users bidding not be dedicating their entire lives to using your web application all the rage a punctual and timely manner. Tomcat's configuration is done in web.