Configuring the User Session Timeout

The user session timeout is the length of time a user’s session can remain inactive before the server automatically logs the user out. JasperReports Server now implements a pop-up reminder that tells users their session is about to expire and gives them the chance to continue without being logged out.

User Session Timeout

Configuration File

.../WEB-INF/web.xml

Property

Value

Description

<session-config>
<session-timeout>

20 <default>

Set the number of minutes that a user session can remain idle before automatic logout. Set the value to 0 (zero) to prevent sessions from ever timing out.

Note that the session timeout also applies to how long a session remains in memory after a web services call finishes. If there is another web service call with the same credentials within the timeout period, the server reuses the same session. If the timeout is too short for this case, you may have performance issues caused by a high load of web service calls.

Conversely, if the timeout is too long, a user session may stay active for a long time (even indefinitely with a timeout of 0) if a user leaves his browser open. The risk of allowing long sessions is that the in-memory session is not updated with any role changes until the user logs out manually (ending the session) and logs in again (creating a new session).

Version: 
Feedback
randomness