Developer forum

Forum » CMS - Standard features » Best practice setting Session time out

Best practice setting Session time out

E-mail notifications
Adrian Juell
Reply
Posted on 08/05/2024 10:36:07

Hi 

I have a client that wants to set the session timeout for their website to 48 hours. 

I have only been able to locate where I can set the Shopping cart session time out (720min standard), is there anywhere else in the BE where I can set the login-session timout interval?

 


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 08/05/2024 15:03:47
Reply

Hi Adrian

You can increase session timeout in web.config of the solution.

You should be careful about an increase in session timeout above 20 mins as it will impose primarily potential security issues and can also affect performance and memory usage as sessions will live for too long.

My guess is that they have something more specific in mind more than just increase session timeout - e.g. increase the time before a login expires? That can also be done in settings.

BR Nicolai

 
Adrian Juell
Posted on 08/05/2024 15:16:45
Reply

Thanks for the quick answer , Nicolai! 

And yes, you are correct, they want their sales reps to be able to keep a login for at least 48 hours , as they are often continiously working on customer quotes etc. 

Can all of this be set in the web.config? If so, which parameteres ?

Is this the one - now set to 48 hrs:

Are there other things that can cause a logout, such as re-indexing or similar? 

 

I also agree with you regarding the security risk etc, but the customer has been made aware of this, and requested the change anywyas.

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 08/05/2024 15:30:56
Reply

Sessions will reset for all kind of reasons, and the timeout is more a hint to IIS for how long is maximum time to live - but not in anyway a sure thing.

You do not mention your DW version, but in at least the last couple of minors, you can set login expiration of the login cookie under settings:

https://doc.dynamicweb.com/documentation-9/platform/advanced-settings/control-panel#11139

The login is basically stored in the cookie - and that cookie will have a time to live related to that specific device.

But again, you cannot be sure. E.g. I use a browser that will clear my cookies when I close it - and then the login cookie will go away and I need to login again. 

BR Nicolai

 
Adrian Juell
Posted on 13/05/2024 13:04:32
Reply

Thank you for this clarification, Nicolai! 

DW version: 9.16.6

The customer has set the 'Login cookie'-setting to 7 days currently, but still gets loged out after just 30mins. 
So I'm starting to think that there are other external factors in play here.


 

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 13/05/2024 16:47:11
Reply

Have you inspected the cookies that is set on this solution - what are their expiration times, what do they contain?

And are you sure it is a logout - and not something else?

You can provide a URL and I can have a look.

 
Adrian Juell
Posted on 14/05/2024 08:11:39
Reply

Thanks for all your help, much appreciated!

This is relekta.no

Edit: this also happens on tablets , and the users are predominantly using Safari and Chrome.

 

You must be logged in to post in the forum