Project

General

Profile

Bug #7268

Session timeout issues

Added by Stefan Ruppert almost 3 years ago. Updated almost 3 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
10/02/2019
Due date:
% Done:

0%

Estimated time:

Description

Hi,

I'm currently have different session timeout issues. Our wt app runs using dedicated process session management and a session should timeout after 60 seconds. We also use SSL client certificates for login of users. After around 5 minutes (e.g. 5 minute - 30 seconds?) the wt http server asks the browser for a new client certificate, if the certificate is not acknowlegded within 30-60 seconds the session is terminated by the wt http server. If client certificates are disabled or acknowlegded within the 30-60 seconds the session does not time out at all. Only one session is active at one time.

I have already checked WebController and WServer source code and it seems to me that the WServer session expire 5 seconds timer does not run in this configuration!? Is there any hard-coded interval of 300 seconds (e.g. 600/2) why the wt http server asks after around 5 minutes for a new ssl client certificate?

See the attached log files.

Regards,

Stefan


Files

wt-session-timeout.tar.gz (7.43 KB) wt-session-timeout.tar.gz Log and config files Stefan Ruppert, 10/02/2019 12:09 PM
#1

Updated by Stefan Ruppert almost 3 years ago

Just forgot to mention we use wt 3.3.12!

Regards,

Stefan

#2

Updated by Roel Standaert almost 3 years ago

  • Status changed from New to Feedback

There is a hard-coded 5 minute timeout, the CONNECTION_TIMEOUT.

Can you maybe make a debug log of this happening? (Compile Wt with CMake options DEBUG=ON)

One thing I'm noticing is "CSRF protection kicked in". Under normal circumstances, you should not get that message.

If client certificates are disabled or acknowledged within the 30-60 seconds the session does not time out at all.

Just to be clear: you don't mean to say that that's an issue, right? It's supposed to never timeout as long as the page stays open in the browser.

#3

Updated by Stefan Ruppert almost 3 years ago

Roel Standaert wrote:

There is a hard-coded 5 minute timeout, the CONNECTION_TIMEOUT.

Can you maybe make a debug log of this happening? (Compile Wt with CMake options DEBUG=ON)

One thing I'm noticing is "CSRF protection kicked in". Under normal circumstances, you should not get that message.

Okay, I'll try this next week.

> If client certificates are disabled or acknowledged within the 30-60 seconds the session does not time out at all.

Just to be clear: you don't mean to say that that's an issue, right? It's supposed to never timeout as long as the page stays open in the browser.

Roel, thanks for asking. Yes I thought that this is an issue... You are completely right. There is a keepalive message each 30 seconds to signal the server part the app is still running! Thus the session-timeout interval is used to detect closed browser sessions!

Thanks for getting me back on the right track!

Stefan

#4

Updated by Roel Standaert almost 3 years ago

If you do want a timeout for sessions that are still open in the browser, that's what the <idle-timeout> is for. If there's no activity from the user, that will cause WApplication::idleTimeout() to be called, which, by default, quits the application.

Also available in: Atom PDF