Session Management Bible
There are few basic concepts which impact Session management in Business Objects:
1. Logon Token
This is created by the application ( both InfoView and CMC) when the users first log into the system.
The expiry for this token is eight hours. Configuring the token duration is not supported.
Configuring whether to use this token is optional (enabled by default (true)). When this token is used the user will be silently logged back on to the system for the lifetime of the token.
2. Web Session (Http Session/ Tomcat Session)
Lifetime of the web session is defined in the web.xml of each web-app (InfoViewApp.war, InfoViewAppActions.war, PlatformServices.war, AR.war and so on).
The default time-out value for each web-app is 20 minutes.
It is strongly recommended that when updating the time-out value for 1 web-app that all other web-apps are updated to an equal value.
3. Enterprise Session
InfoView will ping the Central Management Server (CMS) every two to three minutes.
The enterprise session will stay active for 10 minutes past the last ping from the client.
4. CMS Failover Token
The default time-out is 30 minutes. This value can be configured through the CMS command line but it is strongly recommended that this value is not updated. Other BOE servers and applications use this value therefore updating this may produce unexpected timeout behavior.
Please Note that after the web session has timed out the silent logon does not return the user to their previous state.
Other impacts on Business Objects session management
There are additional processes that impact the session management.
The first is that the client pings the CMS every two to three minutes to keep the enterprise session alive.
When the web session has terminated this ping stops. At this point the enterprise session will wait for a period of 10 minutes. This is described as the idle time-out period.
Following the 10 minute idle time-out period there is an additional period of zero to 10 minutes (this process runs every 10 minutes) while the enterprise session is invalidated.
Once the enterprise session has been invalidated the current CMS enterprise session is returned (CMS session count drops).
It is recommended that the Idle Session Timeout value always exceeds the ping time.
Therefore the minimum recommended value for the Idle Session timeout is four minutes.
Once the enterprise session has been invalidated the CMS failover token will time-out after 30 minutes.
To summarize: Once the web session has terminated (timed out) there is an additional 50 minutes on the CMS before the user is actually timed out.
This assumes that the Default Token is disabled. If the default token has been enabled the user will be silently logged back on after this point (up to the lifetime of the default token – eight hours from when the user originally logged on).
User activity that interacts with the server during the 50 minutes period will re-create the enterprise session. In the users perspective they would be silently logged on to InfoView, even with the default token disabled.
The user will see some loss of state as this stored in the previous web session.
Web Session time-out (in .war file(s)) = 20 minutes
Logon Token = disabled
1. After 20 minutes of in activity the client stops pinging the CMS. State information will be lost at this point.
2. Enterprise session stays alive for a period 10 minutes after last ping.
3. The enterprise session is invalidated after a period of 0-10 minutes. At this point the CMS session count drops.
4. The CMS Failover token times out after 30 minutes.
5. The InfoView user experiences the time-out after a total of 70 minutes.
Please feel free to comment and add more value to this post.