Session Expiry
Session expiry is a two-stage process. For users occupying a concurrent license, when the user has been idle, (i.e. they have not accessed the server from their browser for the time defined in USER_EXPIRE_TIME_HOURS), they will receive a session expiry message from ExtraView when they next access the server. If the user was in the middle of a session creating a new issue or editing an existing issue, then ExtraView will attempt to restore all the data held in the user’s browser from the time they last entered data. This happens after they re-authenticate their sign on credentials.
This capability comes at a price, in that the server must hold all the data necessary to restore the session within the application server’s memory. With a significant number of users, this can mount up, and so there is a second time out defined in SESSION_EXPIRE_TIME_HOURS. If the user attempts to restore their session after this time, no data can be restored, and the user will be taken to their usual destination page upon signing on, usually the Home Page.
For users who occupy a named user license there is a separate behavior setting for control. This is named SESSION_NAME_EXPIRE_TIME_HOURS.
When a user receives an alert informing him that their Session expired or was removed, it may be for one of several reasons –
Alert Code | Meaning |
RC1 | The most likely reason is that the user was idle longer that the time allotted by the administrator in the behavior setting named SESSION_EXPIRE_TIME_HOURS. ExtraView then signs the user out of the system. This condition may also be caused by the administrator restarting the server while you were in the middle of a task |
RC2 | The cookies returned by the browser don’t match session cookies held on the server. There are two possible reasons for this. First, the expiry may happen if the user attempts to sign on to ExtraView, from two different instances of the same browser. Secondly, if the server is first accessed by a specific URL from a user’s browser, the same URL must then be used for all subsequent accesses by all users. |
RC3 | The session expired in the server. This is most often due to an error condition that could not be handled |
RC4 | The session was removed by administrator. This happens when the administrator uses the Manage Connected Users administrative function to cancel a user’s session. |
RC5 | Your IP address changed during the session and CLIENT_IP_ADDRESS_CHECK is “YES”. Normally ExtraView performs a check for security purposes, to ensure that your IP address remains consistent. However, this check can be disabled if you part of a network where your IP address is automatically translated for any reason. This is most often seen when accessing a corporate network via a VPN with a proxy server. |
You may turn on a warning to the user, that their session is about to expire, using the two behavior settings named SESSION_WARNING_TIME_SECS and SESSION_WARNING_INTERVAL_SECS. This will give them additional warnings that their session is about to expire.
For users occupying concurrent licenses, the session expiry is controlled by a number of settings, some optional, some mandatory. The two mandatory settings are
Behavior Setting | Purpose |
SESSION_EXPIRE_TIME_HOURS | This is the session expiry period measured in hours for a user who occupies a concurrent user license and who remains idle. Note that this is different from the period for users who occupy a named license. Their expiry period is defined in the behavior setting named SESSION_NAME_EXPIRE_TIME_ HOURS. After the period set in USER_EXPIRE_TIME_HOURS and before the value of SESSION_EXPIRE_TIME_HOURS, ExtraView will attempt to restore a user’s data when their session has expired. Beyond the time specified in SESSION_EXPIRE_TIME_HOURS the data will be lost. If the value of this setting is less than one minute or 0, then the session data will be kept permanently until the server is restarted. This is not recommended. |
USER_EXPIRE_TIME_HOURS | This is the time in hours for which a user will remain signed in to ExtraView, when his computer is idle. ExtraView recognizes a user as still active when an action causes the user to access the server. When a user’s session expires, ExtraView will ask the user to sign in again, and will attempt to restore any data being inserted or updated, and take the user to the point where they were working. Note that the ability to restore data is only enabled for the period specified in the setting named SESSION_EXPIRE_TIME_HOURS. For this reason, SESSION_EXPIRE_TIME_HOURS should always be equal to or greater than USER_EXPIRE_TIME_HOURS. If the value of this setting is less than one minute or 0, then the session will not time out |
There are further settings that may be used to determine if a user is really inactive, or whether they have closed their browser, navigated to another page or performed some other action that means that the session information held on the server is no longer required. This is principally used to allow the administrator to fine tune the allocation of concurrent user licenses after the USER_EXPIRE_TIME_HOURS and before the SESSION_EXPIRE_TIME_HOURS is reached, and to ensure that users do not retain a license if there is no need. The basic principal is that if the user requires resource to be retained on the server, they will retain their license during this period, but if they do not require resources on the server, their license will be released. Resources are required on the server if the user is in one of these functions:
- Add screen
- Edit screen
- Item History screen
- Related Issue Update screen
This functionality comes at a modest performance cost, in that there needs to be communication at regular intervals between the client browser and the server to determine a user’s status. These packets of information may have an affect on performance, therefore this feature may be turned on or off, and the administrator may determine how frequently checks are made.
If you are using named user licenses the recommendation is to turn the feature off using the USER_TIMEOUT_SESSION_REMOVAL setting.
Behavior Setting | Purpose |
USER_TIMEOUT_SESSION_REMOVAL | This is used to turn this feature on or off. The value of YES implies that sessions are killed after USER_EXPIRE_TIME_HOURS of inactivity, unless the user has sessions that remain active in the add or edit screen mode. NO implies that these sessions are not killed after this period of inactivity. The user’s browser is checked by the server every SESSION_MONITOR_POLL_SECS to see if the ExtraView session is still active and the client updates the server with this information every KEEPALIVE_INTERVAL_SECS seconds. |
KEEPALIVE_INTERVAL_SECS | This is the number of seconds between polling operations from the add or edit screen. This timer is used to send a message from the user’s browser to the server, to allow the server to keep track of users with open add or edit sessions. If the user closes their browser or navigates away from an add or edit page, then the server will be able to recognize this event |
SESSION_MONITOR_POLL_SECS | This is the number of seconds between periodic tests from the server, for session removal due to user expire time activity. The server will test to see if the user still has an open session at this interval. This is only used if USER_TIMEOUT_SESSION_REMOVAL is YES. and if the user’s browser has not reported to the server that a session is still active with the KEEPALIVE_INTERVAL_SECS timer. |