Skip to main content

Version: 24.10

Session timeout

A session timeout is a safeguard against sensitive data remaining visible when a screen has been left unattended for a defined duration.

Follow these steps to setup a session timeout in Journey Brokers.

  1. Ensure the Session timeout in Journey Manager's Security Manager is set to the desired duration.

    1. Log into Journey Manager and go to Security > Security Managers.
    2. Select your security manager from the list.
    3. On the Security Manager tab, select the desired Session timeout value.
    4. Click Save.
  2. Set the appDef.idleTime in transact-config.json to be slightly longer than the timeout selected in Journey Manager. For example, if you selected 30 minutes as the Session timeout in Journey Manager, set the idleTime to at least 31 minutes. This will ensure that if both the application and Journey Manager session have been idle for the same amount of time, the app will check the JM session just after it has ended.

info

The idleTime value is specified in milliseconds. For example, the value for an idleTime of 31 minutes is 1860000 ( = 31 * 60 * 1000).

Each time the application is left idle (that is, without interaction) for the defined idleTime, Journey Brokers checks Journey Manager for a connected session. If the session time in Journey Manager has elapsed, the application logs out, presenting the login screen to the user.

Session Timout User Warning (optional)

In addition to the idleTime setting in transact-config.json, you also have the option (starting from the 24.04 release) to set an idleTimeWarning setting. Like the idleTime, this setting is specified in milliseconds.

Once we've reached the idle warning time specified by idleTimeWarning a Snack message is displayed to the user, warning them that their session is about to expire. The user must do something to refresh their session in order to not be logged out; for example, refresh the current page.

info

Dismissing the warning Snack message is not enough to reset the session idle time.

Logout Redirect

The redirectLogoutUrl config property allows you to specify a URL to be directed to when the logout button is clicked. An example is shown below.

Sample idleTimeWarning settings

The example config below assumes a session logout time of 15 minutes has been specified in JM (see previous section).

transact-config.json
  "appDef": {
"name": "Workspaces 24.04",
"formCode": "workspaces-24-04",
"clientCode": "workspaces",
"idleTime": 960000,
"idleTimeWarning": 840000,
"redirectLogoutUrl": "https://www.npmjs.com/",
}

As per the previous section, the idleTime is set to 16 minutes (960,000ms), which is one minute later than the server session time out. So, we set idleTimeWarning to 14 minutes (840,000ms), which is one minute before the server session time out.

You can experiment with which idleTimeWarning setting works for you, but we recommend that you do not set it to any value less than one minute before the server session time.