Session timeouts

Magnolia comes with a default session timeout. However, you can configure this to meet your requirements.

Session Timeout After user Inactivity

The session timeout defines the allowed time of inactivity after which the user must login again. The session timeout for the Magnolia AdminCentral is bound to the session timeout of the underlying servlet container. The inactivity itself is measured from the last request to the server.

The default timeout is

30 minutes.

If you’re running Magnolia locally, you can typically find this file at ./apache-tomcat/conf/web.xml. For instance, on a Tomcat server, the session timeout is configured per web application in the web.xml as shown below.

For more in-depth information on Vaadin session timeouts, see the Vaadin docs.

Configure the session timeout

  1. Go to apache-tomcat/conf/web.xml.

  2. Update <session-timeout> to your desired duration.

    apache-tomcat/conf/web.xml
    <session-config>
  <session-timeout>30</session-timeout> (1)
</session-config>
    1 The session timeout in minutes.
If you are using an Identity Provider for SSO, you’ll need to ensure that the web.xml configuration for <session-timeout> is aligned with your provider. For example, if your timeout for Okta is 2 hours (120 minutes), you should set <session-timeout> to 120.
Feedback