Session Management
When a user accesses the Spotfire Server, from a web browser or from a client such as Spotfire Analyst, a session is created. A session ID is valid across most of the Spotfire Server environment but the public APIs do not use sessions.
Session IDs
The Spotfire session IDs are 16 bytes/128 bit IDs that are randomly generated by Tomcat. See the Tomcat documentation about session ID generation for more information.
The JSESSIONID cookie holds the session ID. All information associated with the session is stored server-side. See also HTTP Cookies.
Session rotation
Session IDs are rotated (replaced) when a user authenticates and when users change their own passwords in the Spotfire Server database (username/password authentication). Changes to credentials in external authentication systems have no effect on active sessions.
When a session expires, the session is invalidated (deleted) server-side. The session ID may still remain in client cookie stores and similar but it will no longer refer to any active session (and any subsequent attempts to use it will simply be ignored).
Session timeouts and configuration
The Spotfire Server allows you to configure different aspects of the session management. For example, you can change the absolute and idle timeouts, and restrict the number of concurrent sessions. Absolute session timeout is a recommended security feature, while idle session timeout is mainly a resource management feature. See the documentation about Absolute session timeout and idle session timeout to change the default timeout values.
See also Spotfire Server Security Configuration and Administration Activities.