Session timeout
After a set period of inactivity, user sessions are automatically logged off when session timeout is enabled. This applies to users that have logged into HCL Commerce; not guest sessions. Session timeout settings can be changed based on the security requirements of your site. Session timeout does not apply to requests that are cached and bypass the HCL Commerce session management code.
There are two mechanisms for session timeout in HCL Commerce:
- Cookie-based timeout: Session expiry is built into the
WC_USERACTIVITY
cookie. - Activity-based timeout: When cookies are not used, the Business Context
Service activity, persisted in the CTXMGMT table, is used to determine if the
session is timed out.
Examples of when this is used are when REST APIs are made with
WCToken
andWCTrustedToken
, or when using Management Center for HCL Commerce which does not use theWC_USERACTIVITY
cookie.
When a user session times out and the user had previously chosen to be remembered, the session turns into a partially authenticated session instead of a generic user session. In these circumstances, the user can continue with their request, if that API is configured to be accessible by partially authenticated users.
When requests are made using the Spring framework, the following Spring views are used:
ReLogonFormView
: The user is sent to this view if the session times out
and the user is not remembered.
RememberMeLogonFormView
: The user is sent to this view if they are a
partially authenticated user and then trying to access an API is not allowed to be
accessed by a partially authenticated user.
Reference
- Details about the
partialAuthentication
attribute in REST configuration can be found within Enabling partial authentication and cookie-based authentication for REST services. - Details about the
credentialsAccepted
property in Spring configuration can be found within Spring MVC and store controller customization.