13.3. Web Sessions

13.3.1. Web Session Timeout

When Authentication Tokens are not used, Web Sessions guard persistent authorized access to SavaPage.

For security reasons all sessions expire (timeout) after a certain period of inactivity. Each interaction with the Web App that results in a call to the SavaPage Web Server resets the inactivity timer. Closing the browser window will end the session. The default timeout periods for different login types are described in the table below:

Login typeDefault value

Admin Web App

1440 minutes (24 hours)

User Web App

60 minutes (1 hour)

Table 13.1. Default Web Session Timeout Values


The timeout value (in minutes) can be changed using the configuration properties below. A value of 0 indicates that the session will never time out.

Configuration propertyDescription

web-login.admin.session-timeout-mins

Inactivity timeout for the Admin Web App

web-login.user.session-timeout-mins

Inactivity timeout for the User Web App

Table 13.2. Web Session Timeout Configuration Properties


See Section 4.10.14.10, “Config Editor” for information about changing configuration properties.

Changed inactivity timeout values take effect for new sessions. Note that some pages periodically refresh the page (or data on the page), such as the Dashboard. A session will not time out if a browser is left on these pages, as it will be considered active.

13.3.2. Web Session Cookies

Session tracking cookies like JSESSIONID and BAYEUX_BROWSER are marked as HttpOnly. An HttpOnly cookie cannot be accessed by client-side APIs, such as JavaScript, and may therefore help mitigate certain kinds of cross-site scripting attacks.