Prev   Next

Back to the top of the FAQ

Q. I am confused about cookie-timeouts on the browser, AuthentiX cookie timeouts, and the limit-concurrent-login timeout.
A.

Yes, there are several different levels, each with their own subtle requirements and reasoning.

The three timeouts you mention are:

1) The browser - on the server you can set a cookie to timeout after a certain time, which means the cookie can persist beyond closing the browser, or disappear while the browser is open if it is set for a very short time.. With no timeout specified when the cookie is created it is destroyed at the end of the session, ie when the browser is closed.

2) The AuthentiX internal cookie timer (which you can set to be 2 minutes or 600 minutes), which decides at the server (independent of the client browser) when a cookie has timeout out, requiring a fresh login. This is intended for "lower limit" of time, so that a user is forced to log back in if they have not been active in a (short) period of time (maybe they went to the water-cooler).

3) Limit-logins timeout ie whether a "user session" has finished. This is deemed to be 10 minutes after the last http request. This is intended for "upper limit" of time, so that a session is deemed abandoned after 10 minutes. This is useful if a dial-up connection has been dropped. If you were to increase this to 600 minutes, each dial-up connection that is dropped will eat up 1 concurrent login - with undesirable results.

The limit-logins timeout works with both Basic Authentication and cookie-based login, so do not imagine that the internal cookie timer and limit login timer are connected.

This means that a browser could have a non-expired cookie, and yet because there has been no activity for a while, then the limit-login has timed-out, which will allow a 2nd user with the same name to login. If the first user tries to access the protected directory they will be denied access because of limit-logins, even though their cookie is still valid.

With Limit-logins one user cannot "lock out" an account, for long periods of time, even though they are not accessing the site.

Back to the top of the FAQ

Prev   Next