Setting web session timeouts for user workspaces in censhare Web helps to save memory and prevents session hijacking attempts.

Context

censhare API Services.

Available as of 2019.2.2

Prerequisites

None

Introduction

When users log in to censhare Web and open their workspace, the browser establishes a connection to the censhare server, and a corresponding session is opened. As censhare administrator, you can configure timeouts that determine when a web session is closed due to inactivity via the client connection, lost client connection, or closing the web client. With these timeouts, you can ensure that unused sessions are disconnected and active users are required to periodically reconnect and authenticate. This prevents session hijacking attempts. It also helps to reduce the amount of memory that is used when a large number of idle sessions are open simultaneously.

Session timeout options

You can configure the following timeouts:

  • Maximum time to keep a web session alive after browser windows are closed without any user logout or the browser connection has been lost.

  • Maximum idle time of a web session without any user activity

Configure web session timeouts

  1. Log in to the censhare Admin Client.

  2. Select Configuration > Services > API and double-click Configuration.

  3. Under General setup, select the respective server and check that the service is enabled.

    Set the timeout options:

    • Keep session alive: Set the maximum time (in minutes) to keep a web session alive after users have closed all browser windows without any user logout or the browser connection has been lost. Default: 3 minutes

    • Session duration limit: Set the maximum idle time (in minutes) of a web session without any user activity. After this interval, the session is closed by a session cleaner. For security and performance reasons, we recommend to select an idle time that is not too long. Default: 1440 minutes

  4. Save your edits with OK.

  5. From the toolbar of the censhare Admin Client, click Update server configuration.

After the server configuration update, the options are set for all new user sessions. When the timeouts are applied and the sessions closed, users need to log in to censhare Web again.

Timeout behavior with different connection protocols

For details on different connection protocols and their behavior regarding timeouts, see this FAQ.

Monitor web session timeouts

You can monitor session behavior in the censhare system asset and censhare log files. For more information, see Monitoring.

Monitor Keep sessions alive timeouts

Sample log with Keep alive timeout set to 2 minutes. After closing the browser window, the session is closed after 2 minutes.

Monitor Session inactivity limit timeouts

Sample log with session inactivity limit set to 5 minutes. A session cleaner closes the session after 5 minutes of session inactivity.

Security best practices

  • Set the session inactivity limit to the minimum value possible depending on the context of the application or tasks.

  • Monitor and trace session creation/cleaning to analyze creation trends and detect irregular numbers of session creation.


Result

You know how to configure web session timeouts for censhare Web and how to monitor web session timeouts.