Aligning session timeouts

Often, identity providers have default session timeouts by which a user’s session is terminated after a certain period of inactivity. Magnolia also has a <session-timeout> parameter that is set at ./apache-tomcat/conf/web.xml under a default configuration section.

However, to avoid any potential issues when using the SSO module, you should align the session timeout of your identity provider (such as Okta).

Session timeout after user inactivity

The session timeout defines the allowed time of inactivity after which the user must login again. The session timeout for the Magnolia AdminCentral is bound to the session timeout of the underlying servlet container. The inactivity itself is measured from the last request to the server.

The default timeout is

30 minutes.

If you’re running Magnolia locally, you can typically find this file at ./apache-tomcat/conf/web.xml. For instance, on a Tomcat server, the session timeout is configured per web application in the web.xml as shown below.

For more in-depth information on Vaadin session timeouts, see the Vaadin docs.

Configure the session timeout

  1. Go to apache-tomcat/conf/web.xml.

  2. Update <session-timeout> to your desired duration.

      <session-timeout>30</session-timeout> (1)
    1 The session timeout in minutes.
If you are using an Identity Provider for SSO, you’ll need to ensure that the web.xml configuration for <session-timeout> is aligned with your provider. For example, if your timeout for Okta is 2 hours (120 minutes), you should set <session-timeout> to 120.

DX Core



This widget lets you know where you are on the docs site.

You are currently perusing through the SSO module docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules
6.3 beta

Magnolia 6.3 beta

Magnolia 6.3 is in beta. We are updating docs based on development and feedback. Consider the 6.3 docs currently in a state of progress and not final.

We are working on some 6.3-beta known issues during this phase.