Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Handle Session Timeout - AEM war in Tomcat

Avatar

Level 1

Hi All,

In our application development we are using AEM deployed as an war in tomcat 8. Now there is an requirement to implement session timeout. The detail use case is as below

Requirement: the application should redirect to Login page if the session timeout reaches 30min. Session timeout will be updated in web.xml

Need inputs on how to implement the above requirement. Few questions are below

1) Is AEM contains HTTPSession as it is deployed in tomcat? if so how to handle the HTTPSession in AEM as by default AEM dosent maintain HTTPSession

2) Do we need to write any Custom Authentcator hadler to check the session time out? if so how to retrieve session timeout value updated in web.xml in custom handler

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hi,

The fact, that a user has logged in successfully, isn't stored inside a http session, but rather as token inside the repository. Therefor the lifetime of a http session doesn't have any influence. You rather need to configure the lifetime on the token itself. You can do this at [1].

To your questions:

1) You can use http sessions, but you don't have to. It's highly recommended to avoid server-side state.

2) You don't need to.

kind regards,
Jörg

 

[1] http://localhost:4502/system/console/configMgr/org.apache.jackrabbit.oak.security.authentication.tok...

View solution in original post

2 Replies

Avatar

Correct answer by
Employee Advisor

Hi,

The fact, that a user has logged in successfully, isn't stored inside a http session, but rather as token inside the repository. Therefor the lifetime of a http session doesn't have any influence. You rather need to configure the lifetime on the token itself. You can do this at [1].

To your questions:

1) You can use http sessions, but you don't have to. It's highly recommended to avoid server-side state.

2) You don't need to.

kind regards,
Jörg

 

[1] http://localhost:4502/system/console/configMgr/org.apache.jackrabbit.oak.security.authentication.tok...

Avatar

Level 1
        Thanks jorg hoh I got the understanding now. But one more question is if we need to redirect to our own login page instead if aem default login page when the session is timed out .how to achieve .