Session management
Session timeouts
Magnolia comes with a default session timeout. However, you can configure this to meet your requirements.
Session timeout after user inactivity
The session timeout defines the allowed time of inactivity after which the user must login again. The session timeout for the Magnolia AdminCentral is bound to the session timeout of the underlying servlet container. The inactivity itself is measured from the last request to the server.
- The default timeout is
-
30
minutes.
If you’re running Magnolia locally, you can typically find this file at ./apache-tomcat/conf/web.xml
. For instance, on a Tomcat server, the session timeout is configured per web application in the web.xml
as shown below.
For more in-depth information on Vaadin session timeouts, see the Vaadin docs. |
Configure the session timeout
-
Go to
apache-tomcat/conf/web.xml
. -
Update
<session-timeout>
to your desired duration.apache-tomcat/conf/web.xml<session-config> <session-timeout>30</session-timeout> (1) </session-config>
1 The session timeout in minutes.
If you are using an Identity Provider for SSO, you’ll need to ensure that the web.xml configuration for <session-timeout> is aligned with your provider. For example, if your timeout for Okta is 2 hours (120 minutes), you should set <session-timeout> to 120 .
|
Session invalidation
Since Magnolia 6.2.42, you can configure Magnolia to invalidate user sessions when a user changes their password.
Logging users out of all sessions when they change their password enhances security by immediately invalidating any active sessions using the old password, preventing unauthorized access, and maintaining the integrity of the user’s account across devices.
Session invalidation after user password change
When a user changes their password, they may choose to invalidate all their active sessions and log in again for security purposes.
The same applies when the superuser
resets a password on behalf of a user.
You can configure session invalidation in the web.xml
file.
If you’re running Magnolia locally, you can typically find this file at ./apache-tomcat/conf/web.xml
.
For instance, on a Tomcat server, the session invalidation is configured per web application in the web.xml
as shown below.
Configure session invalidation
-
Go to
apache-tomcat/conf/web.xml
. -
Add the
DefaultHttpSessionListener
listener to your file under the existingMagnoliaServletContextListener
.webapp/WEB-INF/web.xml<listener> <listener-class>info.magnolia.cms.security.DefaultHttpSessionListener</listener-class> </listener>
-
Restart the server.
When this listener is added, any user changing their password is given the option to log out of all their sessions. They must then log in again with their updated password. Alternatively, the user may also choose to keep their active sessions running even when they change their password.
This invalidation only affects JCR users. It doesn’t apply to SSO, LDAP, or any external users, who also have no access to the Edit user profile dialog in Magnolia. Instead, external users must update their passwords in the external IdP or SSO provider in use. |