Managing active user sessions

To restrict the number of concurrent sessions that each of your users is allowed, configure Spotfire Server to specify both the number of sessions and the action to take when a user reaches the session limit.

About this task

Configuring your service to allow a limited number of sessions is usually considered to be a good security practice and follows certain security standards. You can control the number of concurrent sessions run under a guest (anonymous) login separately from that of named users.

By default, this setting is disabled, allowing an unlimited number of concurrent sessions per user. When this setting is enabled, then the user can experience the following.

If a user who has already reached the maximum number of active sessions tries to log in from a new Spotfire client or computer, then the login is blocked and an error message is displayed.
If a user abandons a session (for example, by closing a browser window without first logging out), and that session was the last in the maximum limit, then the user is prevented from logging in again until the configured idle time has been reached (by default 30 minutes).
If the maximum concurrent sessions is set to 1, and if user is running an older version of Spotfire Analyst, then running the update tool can create multiple sessions during login, causing the user to not be able to log in again and complete the update. Making sure that users update Spotfire Analyst installations before you set the limit, or setting the concurrent limit to 2 or more, can solve this issue.

This topic covers setting the session limit using the configuration tool. You can also set the limit using the command-line command config-sessions.

Before you begin

You must be logged into the computer where the Spotfire Server is installed, and you must have administrative access to run the configuration tool. If you cannot run the configuration tool on the Spotfire Server computer, see Running the configuration tool on a local computer.

Procedure

Open the configuration tool.
Run the command <installation dir>/tomcat/spotfire-bin/uiconfig.bat (uiconfig.sh on Linux).

The configuration tool is launched and you are prompted to provide the password.
Provide the password to the configuration tool.
Click the Configuration tab, and then from the left pane, click Security.
The Security dialog box is displayed.
In the text box for Max concurrent sessions per user, provide a positive value.
By default, no value is provided, indicating that each client user has access to unlimited concurrent sessions.

Note: This limit applies only to login attempts by front-end client users; it does not apply to login attempts by services, such as the Web Player service or the data function services, which access sessions from the node manager.
In the text box for Max concurrent anonymous sessions, provide a positive value.
By default, no value is provided, indicating that each guest user has access to unlimited concurrent sessions.

From the drop-down list for Concurrent sessions limit resolution, select one of the following available values.

Option	Description
Block	The default. Specifies that if the user reaches the maximum number of concurrent active sessions allowed, then an attempt to start another session results in a generic error message.
Log out oldest session	Ends the oldest concurrent active session for this user to free a session so that the user is able to start a new session.

Save the configuration, and then restart Spotfire Server.

Results

Users running concurrent sessions are now limited to the specified number of sessions.