Secure > Enhance site security
Enable login timeout
When the login timeout feature is enabled, a logged on cookie-based session that is inactive for an extended period, such as a Web or mobile storefront session, is logged off the system and requested to log back on. If the user subsequently logs on successfully, WebSphere Commerce runs the original request that was made by the user. If the user logon fails, the original request is discarded and the user remains logged off the system.
- For WebSphere Commerce tools (such as the Administration Console, WebSphere Commerce Accelerator, and so on), login timeout does not present a relogin page to the user. Instead, it closes the browser window and it is up to the user to log back on to the tool. Thus, in the case of tools, the original request that the user submits is not processed.
- The login timeout feature only applies to requests that are not cached.
Procedure
- Define the LoginTimeoutErrorView and ReLogonFormView views for the store as described in Views for login timeout.
- Open the Configuration Manager.
- Traverse to the Login Timeout node for the instance as follows: WebSphere Commerce > node_name > Instance List > instance > Instance Properties > Login Timeout.
- To activate the login timeout feature, click the Enable check box.
- In the Value field, enter the login timeout value, in seconds. The login timeout value is stored in the WebSphere Commerce configuration file in milliseconds, while the value in the Configuration Manager is entered in seconds.
- Click Apply.
- Upon successfully updating the configuration for the instance, we will receive a message indicating a successful update.
- Restart the WebSphere Commerce instance.
Results
For web services sessions, including Management Center and Sales Center, the session uses a leasing concept and is stored in the WebSphere Commerce configuration file:
<ExpiryManagement ExpiryMgmtChannelId="-4" InactivityTimeout="15" Threshold="15" enable="true" />Where:
- InactivityTimeout
- The lease time of the session in minutes. The session remains active within this time. In the sample configuration, for example, the lease time is 15 minutes.
- Threshold
- The allowable time in minutes to renew the lease. If a request comes in within this threshold time and after the lease time, the lease on the activity is renewed. In the sample configuration, for example, the threshold time is 15 minutes. Therefore, the activity remains active for 30 (15 + 15) minutes.
The InactivityTimeout parameter in the WebSphere Commerce configuration file relates to both Management Center and Sales Center. Therefore, the users of these tools are bound to the same timeout duration and cannot be separated. That is, you cannot set a timeout duration for Management Center that differs from that of Sales Center.
- Views for login timeout
To use the login timeout security feature, define the LoginTimeoutErrorView and ReLogonFormView views for the store.