7 Replies Latest reply: Apr 23, 2013 11:54 AM by Telmo Duarte RSS

    Document session doesn't timeout

    Telmo Duarte

      Hi Community,


      When on Accesspoint and open a document on a new tab, it doesn't seem to timeout the session.

      There are no settings at document level and session timeout should be 60 minutes.

      After more then 60mins on inactivity, if I hit refresh on Accesspoint, it prompts for login but if I go to the open document tab and hit refresh, it restores the session both for the document and for Accesspoint without prompting for password.

      We are using AJAX client.


      Any thoughts?


      Here are the settings:


        • Re: Document session doesn't timeout
          Bill Britt



          I am trying to sort out what the issue you are having.  Looking at your settings you have the inactive time set to 30 minutes and not 60 and nothing at the document level. My question would be are you using IIS or QVWS? The reason I as is that in IIS the ASP session timeout is set for 20 minutes and the same with the Application Pool timeout is 20 also.  So, most of the time IIS kills the connection before QV would.


          What is your session log showing?


          The reason you are not asked again for user name and password is because IE is caching that.





          • Re: Document session doesn't timeout
            Telmo Duarte

            I've raised this issue with Support and they have confirmed this behaviour as working as designed.

            Here's a summary of their explanation:


            I was only able to trace this specific behaviour to the browsers (IE and Chrome automatically use the NTLM capabilities to re-loggon their users. Firefox ended up prompting, as it does not by default support NTLM.
            I recall that a design change was done in the early versions of 11 which ended up forcing a logon whenever users timed out from their documents (what it did was redirect them to the accesspoint). That was a change from 10, which automatically did a re-loggon.
            Customers did not agree with this though, and the issue was bugged and then "fixed" (reverted back to version 10 behaviour) - no logons required as the logon was done automatically after a timeout.

            The general consent on the lack of a re-authentication after a session timeout within the document after a timeout is considered working as designed. The session timeouts were not meant as a security feature at this point of entry, but as a means to release CALs and allow the document to be unloaded.


            Not the answer I was hoping for but al least it's explained.