The world is bad and bad boys are amongst us. They will not even change app.html, they even can steal real documents or do other things with their sessions. As a precaution, there is a new User Session Management – Expiration
This new management allows to exploit the Cookie Authentication Infos. User sessions can be terminated in much more advanced way then the usual Security Tokens. The rules are:
- By default, the session is set to expire 30 minutes after the last action is performed.
- The Session Timeout minutes ranges from 1 to 10080 (7 Days)
- Session Timeout Alert minutes ranges from 0 to 120
- Also: Session Timeout Alert cannot be higher than the Session Timeout
But: A session limit is not enabled by default
If the user is not active, then the session will expire after 30 minutes from the last request made to the server.
3 minutes before the session expiration (on the 27th minute) an alert will be displayed to the user that their session is about to expire
Note: A session is not equal a session, the system admin must cosider these rules:
• If the Content Server is active on multiple tabs of the same browser is considered as one session
• A Content Server active on multiple browsers is a separate session on its own
• If the Content Server is active on CS Mobile or Enterprise Connect is is considered as a separate session
•And when the Content Server is active on other integrations like SAP, Salesforce, SuccessFactors etc. this is considered to be a separate session
User session terminations are proceceeded by some warnings. If the sesssion is still active but will be disconnected soon, the user gets his warning:
To keep the surprise as small as possible, the user can push the “Continue Session” button and extend his session. But if the session is expired the user gets this panel
The “Sign in” button redirects to OTDS and the user has to re-authenticate his session.
The other side: View Sessions
This will be the tool for the admin to view sessions.
And, for different reasons, there is a button ‘Terminate Session’ ends the user session, and the user will be forced to re-authenticate again.
User Sessions will also be terminated by any “Logout” button and on removing the “Log-in enabled” privilege at the user profile edit page
This will keep the bad boys out our your system.