LTPA Timeout in WebSphere Application Server (Authentication Timeout)
Posted by eichelgartenweg on 11:33 AM with 1 comment
Web techniques like AJAX are designed for “long user sessions” especially in an business context.
In WebSphere an user session is limited by two timeouts:
- JSession (Plain Java Session ID)
- Lightweight Third-Party Authentication (LTPA) - IBMs proprietary authentication mechanism
A LTPA-based authentication session has a fixed timeout. This timeout is globally defined in
Security > Secure administration, applications, and infrastructure >Authentication mechanisms and expiration
Every time an user logs in a LTPA-Token with a specific time-based validity is extended or reused.
If a LTPA timeout is reused ore renewed can be influenced by setting a cacheMaxTimeout-Value as a JVM-Property. If the remaining LTPA-Validiy-Period is lower than the cacheCushionMax-Value, a new LTPA-Token (with new validity) is created. If the LTPA-Validity is higher than the cacheCushionMax-Value the “old” LTPA-Session (with “old” LTPA-Timeout) will be reused.
User activities do not automatically extend the validity! The LTPA-Timeout is a static timeout!
The picture below shows the workflow:

For more information see this link:
http://www-01.ibm.com/support/docview.wss?fdoc=aimwps&rs=2307&uid=swg21320747
Very informative blog, thanks for sharing...
ReplyDelete