Does Pega timeout sessions based on < session-timeout > setting of web.xml? [7.2.2]
I added a configuration of <session-config><session-timeout>3</session-timeout></session-config> in web.xml, and left more than 3 minutes. However, I can keep operating without re-login. Does Pega timeout sessions based on <session-timeout> setting of web.xml?
Thanks,
Jun
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
Accepted Solution
Pegasystems Inc.
JP
PEG
GB
Hi Jun
If you're looking to configure your system so that it re-prompts the users to log-in after a period of inactivity, you can specify this time in the Access Group (Advanced tab).
https://docs-previous.pega.com/security/85/authentication-time-out
Laurence
Pegasystems Inc.
JP
Hi Laurence,
Thank you for your reply. I am looking for how to set a time how long sessions remain at a server.
Jun
Accepted Solution
Pegasystems Inc.
JP
There are two timeouts and two behaviors to consider. All are controlled by configurable system settings. The settings are not included in standard dynamic system settings or prconfig.xml
- authentication timeout -- time after which an operator will be prompted to re-verify credentials (user/password)
- requestor timeout - timeout after which the requestor is freed from memory and "passivated"
Default behavior of Pega 72 is to "passivate" a requestor by storing it in the database, where it is available for "activation" for 24 hours or longer until the systemCleaner agent deletes it. Passivation may be changed to "disk" passivation or "never" - once freed it is gone.
Default behavior of Pega 72 is to not authenticate on activation -- if there is a submission from browser with appropriate PegaRULES session cookie, the requestor is automatically activated (loaded back into memory) without challenging the user for credentials.
Default requestor timeout is 3600 seconds - one hour.
References:
https://pdn.pega.com/documents/authentication-pegarules-process-commander-v53
https://docs-previous.pega.com/configuration-settings-reference-guide-prpc-5x-prpc-62
Commonwealth Bank Of Australia
AU
Thanks for the info, this is good to know.
But I have some further questions to this:
1. Can you please let me know where can we update the Requestor Time out in pega?
2. Where to define the passivation of the requestor to be stored to disk or "never"?
AGCS
DE
Hi hasej,
Thanks for the information in above post.
I have one question regarding authentication timeout.
Your wrote that default behavior of Pega is not to authenticate on activation. So is there any way(other than Access group or timeout settings in server) we could override the default behavior so that User is prompted for re authentication ? I tried PRPC web.xml session timeout but it doesn´t work.
Thanks,
Saurabh Sachan
HCL
IN
Hi,
My authentication timeout is 6000secs where as in prconfig timeout/browser-500,timeout/application -1000. Which one take precedence?
Capgemini
SE
Hi
The timeout/browser would cause the requestor to be passivated (disk or DB) until the System Cleaner removes it ( runs daily). This is the browser timeout function. If the suer access the application after the timeout has happened his session is restored from the DB or disk. The authentication timeout is different a it controls when the user would be prompted for userid/password to re-establish the session with pega.
So in your case if you try to access the Pega application after 100 mins ( assuming it was idle all this time), you would be prompted for user id and password.
There are two timeouts and two behaviors to consider. All are controlled by configurable system settings. The settings are not included in standard dynamic system settings or prconfig.xml
- authentication timeout -- time after which an operator will be prompted to re-verify credentials (user/password)
- requestor timeout - timeout after which the requestor is freed from memory and "passivated"
Default behavior of Pega 72 is to "passivate" a requestor by storing it in the database, where it is available for "activation" for 24 hours or longer until the systemCleaner agent deletes it. Passivation may be changed to "disk" passivation or "never" - once freed it is gone.
Default behavior of Pega 72 is to not authenticate on activation -- if there is a submission from browser with appropriate PegaRULES session cookie, the requestor is automatically activated (loaded back into memory) without challenging the user for credentials.
Default requestor timeout is 3600 seconds - one hour.
References:
https://pdn.pega.com/documents/authentication-pegarules-process-commander-v53
https://docs-previous.pega.com/configuration-settings-reference-guide-prpc-5x-prpc-62