User Session Management – Expiration | The Joy of Content Server

The world is bad and bad boys are amongst us. They will not even change app.html, they even can steal real documents or do other things with their sessions. As a precaution, there is a new User Session Management – Expiration

?func=admin.securityvars

This new management allows to exploit the Cookie Authentication Infos. User sessions can be terminated in much more advanced way then the usual Security Tokens. The rules are:

By default, the session is set to expire 30 minutes after the last action is performed.
The Session Timeout minutes ranges from 1 to 10080 (7 Days)
Session Timeout Alert minutes ranges from 0 to 120
Also: Session Timeout Alert cannot be higher than the Session Timeout

User session management - expiration: New user session options

But: A session limit is not enabled by default

Example

If the user is not active, then the session will expire after 30 minutes from the last request made to the server.

3 minutes before the session expiration (on the 27^th minute) an alert will be displayed to the user that their session is about to expire

Note: A session is not equal a session, the system admin must cosider these rules:

• If the Content Server is active on multiple tabs of the same browser is considered as one session

• A Content Server active on multiple browsers is a separate session on its own

• If the Content Server is active on CS Mobile or Enterprise Connect is is considered as a separate session

•And when the Content Server is active on other integrations like SAP, Salesforce, SuccessFactors etc. this is considered to be a separate session

Warnings

User session terminations are proceceeded by some warnings. If the sesssion is still active but will be disconnected soon, the user gets his warning:

To keep the surprise as small as possible, the user can push the “Continue Session” button and extend his session. But if the session is expired the user gets this panel