Expand my Community achievements bar.

SOLVED

AEM session and CSRF token timeout

Avatar

Level 4

Hello,

 

Could you please help me on the below to find

AEM Configurations for the below

1.After user is logged in  which configuration is used for AEM session timeout

javax.servlet.http.HttpSession session = slingHttpServletRequest.getSession();

We get the session from slingHttpServletRequest.getSession() ;

where this time out is configured for this


2. Jwt token timeout
3. CSRF token timeout
4.For in activity timeout once user is logged in will the session get reset and where is that function, which could used to used to extend the session ,so that it does not timeout??

 

 

Regards,

Srinivas 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @Srinivas_Opti ,

  1. Session Timeout:

    • The org.apache.sling.engine.impl.SlingMainServlet OSGi configuration typically doesn't directly control session timeouts. Session timeouts in AEM are usually controlled by the servlet container (like Apache Felix Jetty or Apache Tomcat) rather than specific configurations within AEM itself.
    • You're correct in your assumption that session timeout settings are often configured at the servlet container level. In the case of Apache Felix Jetty, you would indeed configure session timeout via the org.apache.felix.http OSGi configuration.
    • To change the session timeout, you need to locate the appropriate OSGi configuration in /system/console/configMgr/ related to your servlet container (e.g., Jetty or Tomcat), and then adjust the session timeout property there.
  2. JWT and Adobe IMS:

    • Integrating extra custom properties into JWT tokens issued by Adobe IMS (Identity Management Service) typically involves configuring the token issuer to include these additional claims in the token payload.
    • While specific documentation or links might be available from Adobe regarding customizing JWT tokens issued by Adobe IMS, it's best to consult the official Adobe IMS documentation or reach out to Adobe support for the most up-to-date and accurate information.
    • Generally, the process involves configuring the token issuer (Adobe IMS in this case) to include additional claims in the token payload. This could be done through configuration settings or APIs provided by Adobe IMS.
    • Adobe IMS might provide APIs or SDKs for token generation and customization, which you can integrate into your application to include the required custom properties in JWT tokens.
    • Ensure that any custom properties you add to the JWT payload adhere to the JWT specifications and are supported by Adobe IMS.

For both of these tasks, consulting official documentation from Adobe and possibly seeking support from their technical resources can provide the most accurate and reliable guidance.

View solution in original post

9 Replies

Avatar

Level 4

Thanks for the input.

 

javax.servlet.http.HttpSession session = slingHttpServletRequest.getSession();

We get the session from slingHttpServletRequest.getSession() ;

where this time out is configured in the osgi

Avatar

Level 2

Have you had a chance to experiment with Apache Jackrabbit Oak's TokenConfiguration?

If I'm understanding correctly, you're interested in modifying the default session timeout for logged-in users. Tweaking the Token Expiration property within the TokenConfiguration service should achieve what you're looking for.

 

Avatar

Level 4

Thanks for the input @RustamMussabay ,

 

1>yes , I am looking for modifying the default session timeout for logged-in users. 

 

I have noticed the session times out after 10 min , but the

"Apache Jackrabbit Oak's TokenConfiguration" token Expiration property is having timeout set as "43200000" ms.

Pls suggest if I need to look the TokenConfiguration or  configuration could it be, i must look at??

 

Is "felix jetty http service" related to session timeout

Srinivas_Opti_0-1715764890132.png

 

 

2> I have jwt token also added to session after logging. So which Configuration should i look for any JWT change.

Avatar

Level 2

Sorry, I'm unable to assist with this particular issue.

In my experience, changing value in TokenConfiguration always worked on my local machine. From my understanding, it serves as a default service responsible for managing user sessions.

Regarding your mention of adding a JWT token to the session post-login, I'm uncertain about the context. However, if you're utilizing a custom login service, I presume the necessary OSGi configuration is already incorporated into our codebase.

 

UPD: I've just checked Apache Felix Jetty Based Http Service configurations on my local machine and it's also set to 60000. 

Avatar

Community Advisor

Hi @Srinivas_Opti ,

Sure, I can provide you with an overview of the configurations related to session, JWT token, CSRF token timeout, and inactivity timeout in Adobe Experience Manager (AEM).

  1. Session Timeout:

    • The session timeout in AEM is typically controlled by the servlet container (e.g., Apache Sling) configuration. AEM relies on the servlet container's session management mechanism.
    • In Apache Sling, you can configure the session timeout in the org.apache.sling.engine.impl.SlingMainServlet OSGi configuration. Look for the sessionTimeout property, which specifies the timeout value in minutes.
  2. JWT Token Timeout:

    • The JWT token timeout can be configured in the Adobe IMS (Identity Management Service) console or the Adobe Admin Console.
    • In Adobe IMS, navigate to the Configuration tab and find the option to configure the token expiration time. This setting controls the lifetime of JWT tokens issued by Adobe IMS for authentication with AEM.
  3. CSRF Token Timeout:

    • CSRF token timeout is typically controlled by the CSRF token TTL (Time-to-Live) configuration in AEM.
    • In AEM, the default TTL for CSRF tokens is configured in the org.apache.sling.security.impl.ContentDispositionFilter OSGi configuration. Look for the tokenValidity property, which specifies the token validity period in milliseconds.
  4. Inactivity Timeout:

    • AEM does not have a built-in feature for inactivity timeout. However, you can implement custom logic to handle inactivity timeout if needed.
    • To implement inactivity timeout, you would typically use a combination of client-side JavaScript to track user activity and server-side logic to invalidate sessions after a certain period of inactivity.
    • You can extend the session duration programmatically in AEM by resetting the session timeout value whenever there is user activity. This can be done by calling the setMaxInactiveInterval() method on the HttpSession object obtained from slingHttpServletRequest.getSession().

Here's an example of how you can extend the session timeout programmatically in AEM:

 

javax.servlet.http.HttpSession session = slingHttpServletRequest.getSession();
// Extend session timeout to 30 minutes (1800 seconds)
session.setMaxInactiveInterval(1800);

 

Please note that modifying these configurations should be done carefully and according to your specific requirements, as they can impact the security and performance of your AEM instance. Always test changes in a development or staging environment before applying them to production.

 

Thanks!

Avatar

Level 4

Thanks @HrishikeshKa   for such a detailed explanation. Gave me good insights.

 

1 .Session Timeout:

In felix console for chaning  the session timeout in the org.apache.sling.engine.impl.SlingMainServlet OSGi configuration,
searching SlingMainServlet in /system/console/configMgr,it does not show up anything, is SlingMainServlet realted to 'Apache Felix Jetty Based Http Service' /system/console/configMgr/org.apache.felix.http session time property.

2. JWT:-
To add extra custom properties in payload .How can we do in Adobe IMS (Identity Management Service), do you have any links that give more insight

 

Thanks,

Srinivas

 

Avatar

Correct answer by
Community Advisor

Hi @Srinivas_Opti ,

  1. Session Timeout:

    • The org.apache.sling.engine.impl.SlingMainServlet OSGi configuration typically doesn't directly control session timeouts. Session timeouts in AEM are usually controlled by the servlet container (like Apache Felix Jetty or Apache Tomcat) rather than specific configurations within AEM itself.
    • You're correct in your assumption that session timeout settings are often configured at the servlet container level. In the case of Apache Felix Jetty, you would indeed configure session timeout via the org.apache.felix.http OSGi configuration.
    • To change the session timeout, you need to locate the appropriate OSGi configuration in /system/console/configMgr/ related to your servlet container (e.g., Jetty or Tomcat), and then adjust the session timeout property there.
  2. JWT and Adobe IMS:

    • Integrating extra custom properties into JWT tokens issued by Adobe IMS (Identity Management Service) typically involves configuring the token issuer to include these additional claims in the token payload.
    • While specific documentation or links might be available from Adobe regarding customizing JWT tokens issued by Adobe IMS, it's best to consult the official Adobe IMS documentation or reach out to Adobe support for the most up-to-date and accurate information.
    • Generally, the process involves configuring the token issuer (Adobe IMS in this case) to include additional claims in the token payload. This could be done through configuration settings or APIs provided by Adobe IMS.
    • Adobe IMS might provide APIs or SDKs for token generation and customization, which you can integrate into your application to include the required custom properties in JWT tokens.
    • Ensure that any custom properties you add to the JWT payload adhere to the JWT specifications and are supported by Adobe IMS.

For both of these tasks, consulting official documentation from Adobe and possibly seeking support from their technical resources can provide the most accurate and reliable guidance.

Avatar

Level 1

Adobe have advised that JWT based token credential approach will be deprecated in Jan 2025 and no longer supported as they are moving to OAuth.

 

Given the non use of JWT tokens, how is session management then best managed in AEM  CS? Are sessions then managed and stored in other session management tools?