KEEP_SESSION_ALIVE set to false not respected

[levosgien]

Reference: https://my.dotcms.com/ticket/dotcms-109/

We tried setting the KEEP_SESSION_ALIVE dotmarketing-config property to false. It looks like this was originaly intended to time the user out after 30 mins and redirect them to the login page. Our experience has been that whilst it does redirect them to the login page they then just get redirected straight back in.

If you have KEEP_SESSION_ALIVE set to true it does a keep alive call every 15 mins. I suspect the problem is that there is now a call to /api/notification/getNewNotificationsCount/ every 5 seconds so this is always keeping the session alive now regardless of the KEEP_SESSION_ALIVE property. So I think something needs to change there if you still want KEEP_SESSION_ALIVE to work following the addition of the notifications check.

[jtesser]

yea probably the notification is keeping this up.

[wezell]

yeah, I guess the solution is - if you have KEEP_SESSION_ALIVE set to false, only call the checkNotifications on page refresh. The problem is the whole notification API needs a user, which comes from the session

[jtesser]

Yea there are other solutions but they are not pretty :-p

[trigfoot]

Hi,

I don't think the proposed fix will work as there are other calls to the server in the page after the setTimeout("checkNotifications()",60000 * 30) that will restart the session timer, so when this notifications timer hits 30 mins the session won't quite have expired yet and this call will just cause the session timeout to be extended by another 30 mins.

This is the fix we attempted in nav_sub_inc.jsp:

checkNotifications();

<% if(Config.getStringProperty("KEEP_SESSION_ALIVE").equalsIgnoreCase("true")) {%>
    // Call Every 5 seconds
    window.setInterval(function(){
        checkNotifications();
    }, 5000);
<% } %>

So the notification check is done when each page is first displayed, then not again until the user goes to another page (if KEEP_SESSION_ALIVE is false).

This works fine in Chrome/Firefox, but we seem to have a separate issue with IE. (See 2. in my support ticket ah-15.) Even after the session should have expired, users continue to stay logged in in IE. After the session timeout period has passed and no check notification calls made in that time, if you go to a new page the JSESSIONID changes to a new one and the user still continues to stay logged in. Instead of the session expiring as with the other browsers, in IE it looks like it is continuing the same session just with a new JSESSIONID. Any ideas why? Thanks.

[joseorsini]

Session invalidation in IE is not working even if KEEP_SESSION_ALIVE is set to false.

Tested on 3.2.3/Postgres 9/Java 8/IE 11.

Session timeout was changed to 5 minutes in the bottom_portal_inc.jsp so the time wait is shorter (only for testing purposes).

At login:

After "Session Expired" alert was shown and it attempts to redirect to backend login page.

Tested a potential fix for this (in 3.2.3), so sessions are invalidated for all Browsers if the Keep-Session-Alive property is set to false.

IE 11 During Active Session

IE 11 After "Session Expired" message is displayed. Notice the changes on Server cookies

Chrome 46 During Active Session

Chrome 46 After "Session Expired" message is displayed. Notice the changes on Server cookies

[joseorsini]

PR: #8254