Applies to:
Trust Protection Platforms older than 21.1
Summary: By modifying the Web.config file, we can modify the logged-in timeout values for the Web admin console. This article explains how to do this.
More Information:
After a period of inactivity, a warning message is displayed warning the user that he/she is about to be logged out. If the user does not cancel this message they will be logged out. The default timeout value for TPP is five minutes.
To modify the timeout value, follow these steps:
- Log in to your Windows 2008 server with a user id that has the rights to browse the file system and modify files.
- Navigate to the admin folder and make a backup of the Web.config file. If your default drive is C:/ it is located at C:\Program Files\Venafi\Web\Admin\Web.config.
- Using a simple text editor (Notepad) edit the Web.Config file. It will look like the following.
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="ChartImageHandler" value="storage=session">
</add>
...
TIP: On some versions of TPP, you will not see the xml version declaration at the top of the file.
- Auto logout by default starts at 90 seconds and then you have a 60-second countdown to log out.
- Add the following two keys in the configuration\appSettings section after the </add> key:
<add key="AutoLogoutWarningSeconds" value="270" />
<add key="AutoLogoutWarningLength" value="30" />
- Modify the values to suit your needs, but adhere to these suggestions:
- AutoLogoutWarningSeconds is how long (in seconds) before the auto-logout warning shows up. Any value between 120 and 1800 (seconds) is valid - between 2 and 30 minutes. NOTE: If the value is manually set above 1800, 1800 is used.
- AutoLogoutWarningLength is how long to show the warning before logging the user off, in seconds. Values between 15 and 120 (seconds) are valid.
Frequently asked questions:
How often does the timeout fire?
- The timer resets every time you hit the server, which means on a reload of a page, or refreshing a tree or grid. In other words, it resets on every ajax call. The timer displays a logout warning 5 minutes after the last time you received data from the server. When the logout warning is displayed and the user clicks the 'Cancel' button, an ajax call is made to the server causing the timer to be reset.
Do we use an Ajax ping to ping the server periodically and keep the connection alive?
- Yes. The reason for enforcing the limitation of the timeout value is that the default timeout of the user’s session is 20 minutes. Many IIS admins reduce that time to ten minutes or sometimes even less. If the client (browser) is sitting there waiting ten minutes for something, or the user is reviewing data, their session on the server could time out making them log in again the next time they click on something and potentially cancel their request. To prevent the server session from timing out, the TPP web app continually "pings" the server from the client (using a JavaScript Ajax call) to ensure the session stays active on the server. So, the client will ensure they stay logged in as well as prompt them to log off when the time comes.
What happens when I open multiple browser windows-tabbed browsing?
- If you open a tab to TPP and don't go back to it - even though you are actively using TPP in another tab - the background tab will launch the auto-logout code. This will cause your active tab to be logged off. There is no notification to other windows or tabs that one of the other tabs logged you off. In other words, the active tab will not warn you when this happens; the next time you contact the server will initiate a re-login.
What happens when I open multiple browser windows?
- The auto-logout code will fire for each browser using the time stamp from when the server was last accessed.
What actions trigger the timer to reset?
- Changing trees
- Selecting a different object in the tree (regardless of whether you’ve selected that object before this session)
- Selecting a tab in the details pane for the first time
- Clicking the Save button
- Clicking the refresh button in the details pane of an object
- Clicking any button on the bar below the tabs
What actions do not reset the timer?
- Applying a search or object type filter to the policy tree
- Using "find" to locate an instance of an object in the policy tree.
- clicking the refresh button in the tree
- Returning to a tab in the details pane while staying on the same object
- Applying or clearing filters in a grid view
- Changing the sort order in a grid view
- Showing or hiding a column in a grid view
- Moving through pages in a grid view
- Clicking the refresh button in a grid view
NOTE: For details on a symptom when you are being kicked out of the WebAdmin at random intervals, see https://support.venafi.com/entries/21423286
Comments