LTPA Timeout in WebSphere Application Server (Authentication Timeout)

Posted by eichelgartenweg on 11:33 AM with 1 comment

Web techniques like AJAX are designed for “long user sessions” especially in an business context.

In WebSphere an user session is limited by two timeouts:
  • JSession (Plain Java Session ID)
  • Lightweight Third-Party Authentication (LTPA) - IBMs proprietary authentication mechanism
If you need to increase the Session-Timeout to large values (like 8 h) you may observe some side effects of the LTPA security technology.

A LTPA-based authentication session has a fixed timeout. This timeout is globally defined in
Security > Secure administration, applications, and infrastructure >Authentication mechanisms and expiration
Every time an user logs in a LTPA-Token with a specific time-based validity is extended or reused.

If a LTPA timeout is reused ore renewed can be influenced by setting a cacheMaxTimeout-Value as a JVM-Property. If the remaining LTPA-Validiy-Period is lower than the cacheCushionMax-Value, a new LTPA-Token (with new validity) is created. If the LTPA-Validity is higher than the cacheCushionMax-Value the “old” LTPA-Session (with “old” LTPA-Timeout) will be reused.
User activities do not automatically extend the validity! The LTPA-Timeout is a static timeout!

The picture below shows the workflow:

For more information see this link: