LTPA Timeout in WebSphere Application Server (Authentication Timeout)

Web techniques like AJAX are designed for “long user sessions” especially in an business context.

In WebSphere an user session is limited by two timeouts:

• JSession (Plain Java Session ID)
• Lightweight Third-Party Authentication (LTPA) - IBMs proprietary authentication mechanism

If you need to increase the Session-Timeout to large values (like 8 h) you may observe some side effects of the LTPA security technology.


A LTPA-based authentication session has a fixed timeout. This timeout is globally defined in
Security > Secure administration, applications, and infrastructure >Authentication mechanisms and expiration
Every time an user logs in a LTPA-Token with a specific time-based validity is extended or reused.

If a LTPA timeout is reused ore renewed can be influenced by setting a cacheMaxTimeout-Value as a JVM-Property. If the remaining LTPA-Validiy-Period is lower than the cacheCushionMax-Value, a new LTPA-Token (with new validity) is created. If the LTPA-Validity is higher than the cacheCushionMax-Value the “old” LTPA-Session (with “old” LTPA-Timeout) will be reused.
User activities do not automatically extend the validity! The LTPA-Timeout is a static timeout!

The picture below shows the workflow:





For more information see this link:
http://www-01.ibm.com/support/docview.wss?fdoc=aimwps&rs=2307&uid=swg21320747