Absolute session timeout and idle session timeout

Absolute session timeout is a recommended security feature, while idle session timeout is mainly a resource management feature.

Absolute session timeout requires all Spotfire users to log in to the program again after the configured amount of time. This is true whether a user has been working in Spotfire the entire time, has left the computer unattended, or has shut the computer down. The data associated with the session remains available to the user so that they can log back in (on the same computer or a different computer) and continue working. The absolute session timeout default is 1,440 minutes (24 hours).

However, because open user sessions tie up system resources that could be used elsewhere, the idle session timeout begins its countdown when a user shuts down their computer or the computer is no longer connected to the Spotfire network. If the user does not reactivate their session before the idle session timeout has been reached, the data associated with the session is destroyed and the session's resources become available for other sessions. The idle session timeout default is 30 minutes.

Note: The session is not considered "idle" until the computer shuts down or disconnects from the network because Spotfire Web Player, like many other applications, makes periodic background requests to the server.

Because the login page makes no background requests, when an absolute session timeout occurs, the session data is eventually destroyed when the idle session timeout is reached. This assumes that the user is not immediately logged back in again because they previously selected the Keep me logged in check box.

Both idle session timeout and absolute session timeout are set in the configuration.xml file. Therefore, in a clustered implementation the setting applies to all the resources in the cluster.

These timeout properties can be configured either in the Spotfire configuration tool or on the command line.