AEM session and CSRF token timeout | Community
Skip to main content
S
Srinivas_Opti
Level 3
May 15, 2024
Solved

AEM session and CSRF token timeout

  • May 15, 2024
  • 2 replies
  • 2666 views

Hello,

 

Could you please help me on the below to find

AEM Configurations for the below

1.After user is logged in  which configuration is used for AEM session timeout

javax.servlet.http.HttpSession session = slingHttpServletRequest.getSession();

We get the session from slingHttpServletRequest.getSession() ;

where this time out is configured for this


2. Jwt token timeout
3. CSRF token timeout
4.For in activity timeout once user is logged in will the session get reset and where is that function, which could used to used to extend the session ,so that it does not timeout??

 

 

Regards,

Srinivas 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by HrishikeshKagne

Hi @srinivas_opti ,

  1. Session Timeout:

    • The org.apache.sling.engine.impl.SlingMainServlet OSGi configuration typically doesn't directly control session timeouts. Session timeouts in AEM are usually controlled by the servlet container (like Apache Felix Jetty or Apache Tomcat) rather than specific configurations within AEM itself.
    • You're correct in your assumption that session timeout settings are often configured at the servlet container level. In the case of Apache Felix Jetty, you would indeed configure session timeout via the org.apache.felix.http OSGi configuration.
    • To change the session timeout, you need to locate the appropriate OSGi configuration in /system/console/configMgr/ related to your servlet container (e.g., Jetty or Tomcat), and then adjust the session timeout property there.

  2. JWT and Adobe IMS:

    • Integrating extra custom properties into JWT tokens issued by Adobe IMS (Identity Management Service) typically involves configuring the token issuer to include these additional claims in the token payload.
    • While specific documentation or links might be available from Adobe regarding customizing JWT tokens issued by Adobe IMS, it's best to consult the official Adobe IMS documentation or reach out to Adobe support for the most up-to-date and accurate information.
    • Generally, the process involves configuring the token issuer (Adobe IMS in this case) to include additional claims in the token payload. This could be done through configuration settings or APIs provided by Adobe IMS.
    • Adobe IMS might provide APIs or SDKs for token generation and customization, which you can integrate into your application to include the required custom properties in JWT tokens.
    • Ensure that any custom properties you add to the JWT payload adhere to the JWT specifications and are supported by Adobe IMS.

For both of these tasks, consulting official documentation from Adobe and possibly seeking support from their technical resources can provide the most accurate and reliable guidance.

2 replies

R
RustamMussabay
Level 2
May 15, 2024

Hey @srinivas_opti ,

 

Are you looking for https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-session-timeout-extension/m-p/581634?

 

Regards,

Rustam

S
Srinivas_OptiAuthor
Level 3
May 15, 2024

Thanks for the input.

 

javax.servlet.http.HttpSession session = slingHttpServletRequest.getSession();

We get the session from slingHttpServletRequest.getSession() ;

where this time out is configured in the osgi

R
RustamMussabay
Level 2
May 15, 2024

Have you had a chance to experiment with Apache Jackrabbit Oak's TokenConfiguration?

If I'm understanding correctly, you're interested in modifying the default session timeout for logged-in users. Tweaking the Token Expiration property within the TokenConfiguration service should achieve what you're looking for.

 

HrishikeshKagne
Community Advisor
HrishikeshKagneCommunity Advisor
Community Advisor
May 16, 2024

Hi @srinivas_opti ,

Sure, I can provide you with an overview of the configurations related to session, JWT token, CSRF token timeout, and inactivity timeout in Adobe Experience Manager (AEM).

  1. Session Timeout:

    • The session timeout in AEM is typically controlled by the servlet container (e.g., Apache Sling) configuration. AEM relies on the servlet container's session management mechanism.
    • In Apache Sling, you can configure the session timeout in the org.apache.sling.engine.impl.SlingMainServlet OSGi configuration. Look for the sessionTimeout property, which specifies the timeout value in minutes.

  2. JWT Token Timeout:

    • The JWT token timeout can be configured in the Adobe IMS (Identity Management Service) console or the Adobe Admin Console.
    • In Adobe IMS, navigate to the Configuration tab and find the option to configure the token expiration time. This setting controls the lifetime of JWT tokens issued by Adobe IMS for authentication with AEM.

  3. CSRF Token Timeout:

    • CSRF token timeout is typically controlled by the CSRF token TTL (Time-to-Live) configuration in AEM.
    • In AEM, the default TTL for CSRF tokens is configured in the org.apache.sling.security.impl.ContentDispositionFilter OSGi configuration. Look for the tokenValidity property, which specifies the token validity period in milliseconds.

  4. Inactivity Timeout:

    • AEM does not have a built-in feature for inactivity timeout. However, you can implement custom logic to handle inactivity timeout if needed.
    • To implement inactivity timeout, you would typically use a combination of client-side JavaScript to track user activity and server-side logic to invalidate sessions after a certain period of inactivity.
    • You can extend the session duration programmatically in AEM by resetting the session timeout value whenever there is user activity. This can be done by calling the setMaxInactiveInterval() method on the HttpSession object obtained from slingHttpServletRequest.getSession().

Here's an example of how you can extend the session timeout programmatically in AEM:

 

javax.servlet.http.HttpSession session = slingHttpServletRequest.getSession(); // Extend session timeout to 30 minutes (1800 seconds) session.setMaxInactiveInterval(1800);

 

Please note that modifying these configurations should be done carefully and according to your specific requirements, as they can impact the security and performance of your AEM instance. Always test changes in a development or staging environment before applying them to production.

 

Thanks!

Hrishikesh Kagane
S
Srinivas_OptiAuthor
Level 3
May 17, 2024

Thanks @hrishikeshkagne   for such a detailed explanation. Gave me good insights.

 

1 .Session Timeout:

In felix console for chaning  the session timeout in the org.apache.sling.engine.impl.SlingMainServlet OSGi configuration,
searching SlingMainServlet in /system/console/configMgr,it does not show up anything, is SlingMainServlet realted to 'Apache Felix Jetty Based Http Service' /system/console/configMgr/org.apache.felix.http session time property.

2. JWT:-
To add extra custom properties in payload .How can we do in Adobe IMS (Identity Management Service), do you have any links that give more insight

 

Thanks,

Srinivas

 

HrishikeshKagne
Community Advisor
HrishikeshKagneCommunity AdvisorAccepted solution
Community Advisor
May 17, 2024

Hi @srinivas_opti ,

  1. Session Timeout:

    • The org.apache.sling.engine.impl.SlingMainServlet OSGi configuration typically doesn't directly control session timeouts. Session timeouts in AEM are usually controlled by the servlet container (like Apache Felix Jetty or Apache Tomcat) rather than specific configurations within AEM itself.
    • You're correct in your assumption that session timeout settings are often configured at the servlet container level. In the case of Apache Felix Jetty, you would indeed configure session timeout via the org.apache.felix.http OSGi configuration.
    • To change the session timeout, you need to locate the appropriate OSGi configuration in /system/console/configMgr/ related to your servlet container (e.g., Jetty or Tomcat), and then adjust the session timeout property there.

  2. JWT and Adobe IMS:

    • Integrating extra custom properties into JWT tokens issued by Adobe IMS (Identity Management Service) typically involves configuring the token issuer to include these additional claims in the token payload.
    • While specific documentation or links might be available from Adobe regarding customizing JWT tokens issued by Adobe IMS, it's best to consult the official Adobe IMS documentation or reach out to Adobe support for the most up-to-date and accurate information.
    • Generally, the process involves configuring the token issuer (Adobe IMS in this case) to include additional claims in the token payload. This could be done through configuration settings or APIs provided by Adobe IMS.
    • Adobe IMS might provide APIs or SDKs for token generation and customization, which you can integrate into your application to include the required custom properties in JWT tokens.
    • Ensure that any custom properties you add to the JWT payload adhere to the JWT specifications and are supported by Adobe IMS.

For both of these tasks, consulting official documentation from Adobe and possibly seeking support from their technical resources can provide the most accurate and reliable guidance.

Hrishikesh Kagane
Terms & ConditionsAccessibility statement

Loading footer...