Friday, August 12, 2011

OpenSSO/OpenAM : Session Timeout for Login Page

The following is the page most customers hate. 

Unlike other web-based applications, the OpenSSO/OpenAM login page itself has a timeout value. The clock starts ticking when users land on this page. If users do not login before the timeout, the "Your session has timed out" will be displayed. The default value is 120 seconds.

How can we increase this value? This is the most common question from customer.

[openam953]$ cd /home/openam953/opt3/tomcat/webapps/openam953/config/auth/default_en
[openam953]$ vi DataStore.xml

Change timeout from 120 to 300. I personally think 5 minutes is a reasonable value. Why would one come to a Central Single Sign-On page to do nothing? Most probably, one would want to authenticate and be quickly redirected to the intended application.

I somehow had this impression that a timeout value of 0 implies there will be no session timeout. With this impression, I implemented this solution for one of my customer in one of the local ministries. The feedback was the Login Page times out even faster. Strange! :)

After much debug, I then realized 0 is not an accepted value. If 0 is input, a default value of 60 seconds will be applied.

[openam953]$ tail -f Authentication | grep -i "timeout"

Setting page timeout :60
Returning page timeout :60
Setting page timeout :120 <- Default Login Page value

Setting page timeout :60
Returning page timeout :60
Setting page timeout :600 <- This was when I set the timeout value to 600

Setting page timeout :60
Returning page timeout :60
Setting page timeout :60 <- If 0 is input, it will be replaced by 60

This default value can be found in PagePropertiesCallback.

And also, do take note of Invalidate Session Max Time in Session Limits.

The default value is 3 mins. In my case, I should set it to 6 mins instead.



  1. hello, i follow below stept to increase session timeout value and after redeploy my opensso/openAm war there are no changes , any other suggestion to my case
    ie. i'm user opensso war version 11.0

  2. Redeploy? I would assume your embedded OpenDJ will be a new instance then. And that will imply what you have configured prior to your redeploy will not be applicable anymore.

  3. no i can see my changes in datastore.xml file after deploying my war so what can i do ?! thanks for your attention

  4. You could be in the different locale. Trace the debug log and it'll tell you which locale you are at.