What is the Difference between "Maximum Inactive Session Time" and "SessionCookieTimeOut"?
Article Number: 000003814 | Last Modified: 2020/03/27
What is the difference between the folowing timeouts:
- SessionCookie timeout
- ASP timeout
- Inactive Session timout
A Session Cookie will be destroyed when the user closes their browser, but also has a maximum lifetime within that session. Our Session Cookie contains a representation of the authenticated identity, and should be refreshed whenever the browser interacts with the website (every click). If the identity cookie is destroyed then the user is effectively logged out.
If a user is using the Plugin Client then a handshake continues between the desktop and server. If using the ajax client then the server has no idea what is happening on the browser. If someone left their browser open at the end of the day, then the browser would eventually invalidate the identity cookie, but the server would still think the user was still logged in. Similarly, the QvS would not know if a user closed their browser. When the Inactive Session timeout occurs after the last query/action received from a User then we consider that they must have closed the browser, and now all cached user objects can be destroyed.
Generally these two timeouts can be similar, or the Session Cookie timeout should be smaller than the Inactive Session timeout (otherwise we might destroy cached objects of an Ajax Client user who is actually still logged in).
There is another hidden timeout in the webserver: the ASP Session timeout. The identity cookie relates to a particular session/process on the webserver (hence why we require Sticky Session on any Load Balancer). The QvWS has this hardcoded to 20 or 30 minutes.
It should be avoided to have a cookie that is valid on the browser but not recognised on the webserver. The ASP Session Timeout should be rather long, and can be customised in IIS.
One way to set up the timeouts is: SessionCookie timeout < ASP timeout < Inactive Session timout