Enabling login timeout for a cookie-based session
When the login timeout feature is enabled, a logged on cookie-based session that is inactive for an extended period, such as a web or mobile storefront session, is logged off the system and requested to log back on. If the user then logs on successfully, WebSphere Commerce runs the original request that was made by the user. If the user logon fails, the original request is discarded and the user remains logged off the system.
Note:
- For WebSphere Commerce tools (for example, Administration Console or WebSphere Commerce Accelerator), login timeout does not present a relogin page to the user. Instead, it closes the browser window and it is up to the user to log back on to the tool. Thus, in the case of tools, the original request that the user submits is not processed.
- When a user session times out and the user chooses to be remembered, the session turns into a partial authenticated session instead of a generic user session. When this happens, the redirect URL goes to the original URL instead of the logon page (ReLogonFormView). If the original URL does not allow partial credential authentication, the user is redirected to the logon page (RememberMeLogonFormView).
- The login timeout feature applies only to requests that are not cached.
- If the original request is secured (SSL) and does not contain a krypto parameter, the original request will contain the krypto parameter that is generated by the logon command after relogon.
- With login timeout enabled, all Ajax requests that do not use AjaxAction must use the requesttype=ajax parameter in the URL. Therefore, when a timeout occurs, a proper error can be returned and handled. For a list of session-based error codes, see ../refs/rseajaxerror.html#rseajaxerror.