Session management

Session timeouts

Magnolia comes with a default session timeout. However, you can configure this to meet your requirements.

Session timeout after user inactivity

The session timeout defines the allowed time of inactivity after which the user must login again. The session timeout for the Magnolia AdminCentral is bound to the session timeout of the underlying servlet container. The inactivity itself is measured from the last request to the server.

The default timeout is

30 minutes.

If you’re running Magnolia locally, you can typically find this file at ./apache-tomcat/conf/web.xml. For instance, on a Tomcat server, the session timeout is configured per web application in the web.xml as shown below.

For more in-depth information on Vaadin session timeouts, see the Vaadin docs.

Configure the session timeout

  1. Go to apache-tomcat/conf/web.xml.

  2. Update <session-timeout> to your desired duration.

    apache-tomcat/conf/web.xml
    <session-config>
      <session-timeout>30</session-timeout> (1)
    </session-config>
    1 The session timeout in minutes.
If you are using an Identity Provider for SSO, you’ll need to ensure that the web.xml configuration for <session-timeout> is aligned with your provider. For example, if your timeout for Okta is 2 hours (120 minutes), you should set <session-timeout> to 120.

Session invalidation

Since Magnolia 6.2.42, you can configure Magnolia to invalidate user sessions when a user changes their password.

Logging users out of all sessions when they change their password enhances security by immediately invalidating any active sessions using the old password, preventing unauthorized access, and maintaining the integrity of the user’s account across devices.

Session invalidation after user password change

When a user changes their password, they may choose to invalidate all their active sessions and log in again for security purposes. The same applies when the superuser resets a password on behalf of a user.

You can configure session invalidation in the web.xml file. If you’re running Magnolia locally, you can typically find this file at ./apache-tomcat/conf/web.xml. For instance, on a Tomcat server, the session invalidation is configured per web application in the web.xml as shown below.

Configure session invalidation

  1. Go to apache-tomcat/conf/web.xml.

  2. Add the DefaultHttpSessionListener listener to your file under the existing MagnoliaServletContextListener.

    webapp/WEB-INF/web.xml
    <listener>
      <listener-class>info.magnolia.cms.security.DefaultHttpSessionListener</listener-class>
    </listener>
  3. Restart the server.

When this listener is added, any user changing their password is given the option to log out of all their sessions. They must then log in again with their updated password. Alternatively, the user may also choose to keep their active sessions running even when they change their password.

This invalidation only affects JCR users. It doesn’t apply to SSO, LDAP, or any external users, who also have no access to the Edit user profile dialog in Magnolia. Instead, external users must update their passwords in the external IdP or SSO provider in use.
Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules