Posted: 16 Mar 2017 6:13 EDT Last activity: 16 Oct 2018 12:03 EDT
Does Pega timeout sessions based on < session-timeout > setting of web.xml? [7.2.2]
I added a configuration of <session-config><session-timeout>3</session-timeout></session-config> in web.xml, and left more than 3 minutes. However, I can keep operating without re-login. Does Pega timeout sessions based on <session-timeout> setting of web.xml?
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
There are two timeouts and two behaviors to consider. All are controlled by configurable system settings. The settings are not included in standard dynamic system settings or prconfig.xml
- authentication timeout -- time after which an operator will be prompted to re-verify credentials (user/password)
- requestor timeout - timeout after which the requestor is freed from memory and "passivated"
Default behavior of Pega 72 is to "passivate" a requestor by storing it in the database, where it is available for "activation" for 24 hours or longer until the systemCleaner agent deletes it. Passivation may be changed to "disk" passivation or "never" - once freed it is gone.
Default behavior of Pega 72 is to not authenticate on activation -- if there is a submission from browser with appropriate PegaRULES session cookie, the requestor is automatically activated (loaded back into memory) without challenging the user for credentials.
Default requestor timeout is 3600 seconds - one hour.
I have one question regarding authentication timeout.
Your wrote that default behavior of Pega is not to authenticate on activation. So is there any way(other than Access group or timeout settings in server) we could override the default behavior so that User is prompted for re authentication ? I tried PRPC web.xml session timeout but it doesn´t work.
The timeout/browser would cause the requestor to be passivated (disk or DB) until the System Cleaner removes it ( runs daily). This is the browser timeout function. If the suer access the application after the timeout has happened his session is restored from the DB or disk. The authentication timeout is different a it controls when the user would be prompted for userid/password to re-establish the session with pega.
So in your case if you try to access the Pega application after 100 mins ( assuming it was idle all this time), you would be prompted for user id and password.