Bug #7268
openSession timeout issues
0%
Description
Hi,
I'm currently have different session timeout issues. Our wt app runs using dedicated process session management and a session should timeout after 60 seconds. We also use SSL client certificates for login of users. After around 5 minutes (e.g. 5 minute - 30 seconds?) the wt http server asks the browser for a new client certificate, if the certificate is not acknowlegded within 30-60 seconds the session is terminated by the wt http server. If client certificates are disabled or acknowlegded within the 30-60 seconds the session does not time out at all. Only one session is active at one time.
I have already checked WebController and WServer source code and it seems to me that the WServer session expire 5 seconds timer does not run in this configuration!? Is there any hard-coded interval of 300 seconds (e.g. 600/2) why the wt http server asks after around 5 minutes for a new ssl client certificate?
See the attached log files.
Regards,
Stefan
Files
Updated by Stefan Ruppert over 4 years ago
Just forgot to mention we use wt 3.3.12!
Regards,
Stefan
Updated by Roel Standaert over 4 years ago
- Status changed from New to Feedback
There is a hard-coded 5 minute timeout, the CONNECTION_TIMEOUT.
Can you maybe make a debug log of this happening? (Compile Wt with CMake options DEBUG=ON)
One thing I'm noticing is "CSRF protection kicked in". Under normal circumstances, you should not get that message.
If client certificates are disabled or acknowledged within the 30-60 seconds the session does not time out at all.
Just to be clear: you don't mean to say that that's an issue, right? It's supposed to never timeout as long as the page stays open in the browser.
Updated by Stefan Ruppert over 4 years ago
Roel Standaert wrote:
There is a hard-coded 5 minute timeout, the
CONNECTION_TIMEOUT.Can you maybe make a debug log of this happening? (Compile Wt with CMake options
DEBUG=ON)One thing I'm noticing is "CSRF protection kicked in". Under normal circumstances, you should not get that message.
Okay, I'll try this next week.
> If client certificates are disabled or acknowledged within the 30-60 seconds the session does not time out at all.
Just to be clear: you don't mean to say that that's an issue, right? It's supposed to never timeout as long as the page stays open in the browser.
Roel, thanks for asking. Yes I thought that this is an issue... You are completely right. There is a keepalive message each 30 seconds to signal the server part the app is still running! Thus the session-timeout interval is used to detect closed browser sessions!
Thanks for getting me back on the right track!
Stefan
Updated by Roel Standaert over 4 years ago
If you do want a timeout for sessions that are still open in the browser, that's what the <idle-timeout> is for. If there's no activity from the user, that will cause WApplication::idleTimeout() to be called, which, by default, quits the application.