How to extend life time of session? - orbeon

I have an application in which I include an XForms form with Orbeon 3.9.
My form when left for about 5 minutes displays message dialog about the session being expired.
How can I extend the lifetime of form session to the time when user will close his browser?
This app will have not many users and will be idle most of the time so efficiency is not a problem.
//edit
I've just noticed that when I open multiple forms in their own tabs only last opened form has non expired session, in rest of them I see "Session has expired" dialog box.
Orbeon can handle more than one form being filled by same user in same time?

In general you can set a Java web application's session in the WAR file's web.xml with the <session-config> element. For example this sets the session timeout to 60 minutes.
<session-config>
<session-timeout>60</session-timeout>
</session-config>
You can extend the session duration accordingly.

Related

SessionState in ASP.NET MVC Application

I have an ASP.NET MVC application. I have the following:
<sessionState timeout="60" />
My question is that if a user goes on a page and takes more than 60 minutes to fill out all the fields on the page, will that constitute a timeout? What constitutes a timeout? Does a user need to go through different pages so timeout will not happen?
Simple answer is - Yes, a person taking more than the timeout (60 minutes in your example) on the same page would cause a timeout.
Session is server side, so if no requests are sent to the server for the timeout period - the session will expire and all the saved session variables will be lost.
To complicate things a little bit, if your page is making AJAX calls to the server - those could keep the session alive without navigating to a different page.
session data is stored for 60 minutes from the last request. So, if you access a page and something is stored as session data for you, it will be automatically removed after 60 minutes unless you have made a new request within this time period.
you shouldn't try to use sessions to store data for long periods of time.

ASP.NET MVC Session timeout with auto page refresh

There's one ASP.NET MVC page that is automatically refreshed every 2 minutes using the meta refresh tag. All other pages in the application does not have this auto refresh. The application uses SQL server sesssion state and timeout is set to 20 minutes. If user is on any page, it times out exactly after 20 minutes but if the user is on that specific page, where the auto refresh is set to every 2 minutes, it does not timeout after 20 minutes. Is there a way to auto refresh the page and also timeout the user after 20 minutes i.e basically being able to differentiate between user-driven action and system driven auto refresh?
No. Session timeouts are sliding. Every request the user makes to the website resets the timeout. There's no way around that.

ASP.NET Identity signout fails if inactive for longer than security stamp validation interval

My site uses ASP.Net MVC 5.2.2 and ASP.Net Identity 2.1.0. In CookieAuthenticationOptions I set the ExpireTimeSpan to 30 minutes and the security stamp validation interval is set to 2 minutes (so that users will be booted out within two minutes of a call to UserManager.UpdateSecurityStampAsync.
The problem is that if users remain idle for longer than 2 minutes and then click on the Sign Out button, the site fails to log them off. After a bit of sleuthing, I found that in these cases the server returns a new application cookie (the cookie sent to the server was different than the one returned from it). What seems to be happening is that the owin code misses the call to AuthenticationManager.SignOut and goes ahead with the generation of a new application cookie, as it normally would have in cases where the old one is more than two minutes old.
Has anybody else encountered this issue? Any suggestions on how to diagnose and fix?
I am using VS 2013 Update 3, but this issue existed with previous versions of Identity.
UPDATE:
As an experiment, I created a brand new ASP.NET Web Application project with the VS 2013 Update 3 templates and noticed the exact same issue: I logged in and then waited for an amount of time equal to the security stamp validateInterval (by default, 30 minutes). After that I clicked the Log Off link and noticed that, just like in my own project, a) I was not logged out, and b) a new security stamp cookie was issued to me. I had to click the link a second time to be logged out. In fact, I didn't even need to sit idle for 30 minutes: I could keep making requests during that period and the click to the log out button would still fail, as long as it was the first request after the 30-minute interval expired.
This seems to be a bug in the OWIN identity code. Basically, if the first request after the validation interval is a signout request, it fails, because the code that validates and issues a new security stamp does not check if the user has logged out as part of the same request. Log out requests will fail, as long as they are part of a request that would cause the re-issuance of the security stamp -- i.e. the first request that is after validationInterval minutes since issuance of the previous security stamp.
I would appreciate it if somebody could confirm this behavior. You don't have to wait 30 minutes and do not have to create a new project. Just take an existing project that uses Identity, temporarily set the validation interval to something really short (30 seconds or a minute), log in, and ensure that the first request after the interval expires is a click on the Logout button. If this is a bug, you should notice that you are still logged in.
I also experienced the same issue.
I resolved the issue by changing my AuthenticationManager.SignOut to specify an authentication type as follows:
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie, DefaultAuthenticationTypes.ExternalCookie);
Also, your OWIN components should be on version 3.0.0 (Which should be the case, since you're using Identity 2.1.0)

Log a user off when ASP.NET MVC Session expires

In ASP.NET MVC in one of the WCF services I place an object into the HttpContext.Current.Session object.
When the session times out and the session is cleared of all objects I want to log the user off but have been unable to find a way.
In Global.asax
when the Session_end method is called the Response object and HttpContext.Current are both null.
Any ideas how to log the user off is appreciated.
When the session times out the user no longer exists in any case. If what you are trying to do is clean up open browser windows you would need to implement a timer based on time remaining before session expiration.
SignIn and signout have to do with adding or deleting cookies or tokens to authenticate with an external service. The call that you see should be in the login controller and should not be moved to the global.asax.
No additional action is required.
I think it is wrong practice to try to keep session and authentication cookie in sync. Session and cookie are different things. You can login with multiple users during the same session period. You start a new session when you open some url and it ends when you close the window or it expires on the server side. For more information about session - authentication cookie relationship please read the following answer: asp.net cookies, authentication and session timeouts
Anyway if you want to do it you can use one small trick. You have to periodically call your server with ajax call for example call YourWebsite.com/chcecksession page each n seconds. There you have to check for the existence of a session variable. If it does not exists anymore then simply call FormsAuthentication.SignOut(), refresh your page and the user will be logged out.
I'm not sure about your implantation of WCF as I'm not that versed in WCF. I'm currently building a large scholarship application and we want to restrict logins to a single login per user. I have a table setup to track the userID and a GUID that I store in their Auth Cookie. You could use a session ID instead. I'll be caching the table and refreshing the cache each time I add or remove an entry. I'm using SignalR (you can get as a NuGet package) to maintain connections with each of our clients. When they close their browser SignalR can immediately report that the user is gone and I can terminate their record from the session tracking table. In your case, you could kill the session. Additionally if a user tries to login again, I can see they are already logged in. I then kill their original session and allow them to log in new.
It took a few hours to get used to using SignalR and I highly recommend the videos on Plural Sight.
Set both timeouts in following configuration to exact number of minutes. Make sure you set slidingExpiration to true, that is same as authentication will continue to extend to 30 minutes after each request, as session continues to extend after each request.
<authentication mode="Forms">
<forms loginUrl="~/Auth/SignOn.aspx" timeout="30" slidingExpiration="true" />
</authentication>
<sessionState timeout="30" />

Spring security login page time out

I am using the Spring Security Core plugin for my Grails application and I am facing a problem that when I leave my app idle for more than 5-10 minutes, I need to restart the application.
I thought it's a session time out problem so I added a session timeout tag inside my web.xml, but it didn't help.
What else can I try?
Just Check in your application may be you are using
request.getSession().setMaxInactiveInterval(Integer.parseInt(value)*60);
This Line overrides the feature of web.xml Session timeout.
Or
Use this line in your application when you are creating session for user (At login time).

Resources