The world is bad and bad boys are amongst us. They will not even change app.html, they even can steal real documents or do other things with their sessions. As a precaution, there is a new User Session Management – Expiration
?func=admin.securityvars
This new management allows to exploit the Cookie Authentication Infos. User sessions can be terminated in much more advanced way then the usual Security Tokens. The rules are:
- By default, the session is set to expire 30 minutes after the last action is performed.
- The Session Timeout minutes ranges from 1 to 10080 (7 Days)
- Session Timeout Alert minutes ranges from 0 to 120
- Also: Session Timeout Alert cannot be higher than the Session Timeout
![User session management - expiration: New user session options](https://pos2007.de/wp-content/uploads/2021/08/usersessionI-1024x339.png)
But: A session limit is not enabled by default
![Sessions per User](https://pos2007.de/wp-content/uploads/2021/08/Bild1usersession2.png)
Example
![Example of a user session configuration](https://pos2007.de/wp-content/uploads/2021/08/usersesssion3-1024x342.png)
If the user is not active, then the session will expire after 30 minutes from the last request made to the server.
3 minutes before the session expiration (on the 27th minute) an alert will be displayed to the user that their session is about to expire
Note: A session is not equal a session, the system admin must cosider these rules:
• If the Content Server is active on multiple tabs of the same browser is considered as one session
• A Content Server active on multiple browsers is a separate session on its own
• If the Content Server is active on CS Mobile or Enterprise Connect is is considered as a separate session
•And when the Content Server is active on other integrations like SAP, Salesforce, SuccessFactors etc. this is considered to be a separate session
Warnings
User session terminations are proceceeded by some warnings. If the sesssion is still active but will be disconnected soon, the user gets his warning:
![Session Timeout Warning](https://pos2007.de/wp-content/uploads/2021/08/usersession4-1024x447.png)
To keep the surprise as small as possible, the user can push the “Continue Session” button and extend his session. But if the session is expired the user gets this panel
![Session timed out](https://pos2007.de/wp-content/uploads/2021/08/usersession5-1024x320.png)
The “Sign in” button redirects to OTDS and the user has to re-authenticate his session.
The other side: View Sessions
![View User Sessions](https://pos2007.de/wp-content/uploads/2021/08/usersesssion6.png)
This will be the tool for the admin to view sessions.
![Detailed "View USer Sessions"](https://pos2007.de/wp-content/uploads/2021/08/usersession7-1024x451.png)
And, for different reasons, there is a button ‘Terminate Session’ ends the user session, and the user will be forced to re-authenticate again.
User Sessions will also be terminated by any “Logout” button and on removing the “Log-in enabled” privilege at the user profile edit page
![User privilege "Lon-in enabled"](https://pos2007.de/wp-content/uploads/2021/08/usersession9.png)
This will keep the bad boys out our your system.