6 Replies Latest reply on Jan 15, 2013 5:10 PM by Tony Andrews

    Session timeout with multi-application session

    Tony Andrews

      I have two applications A and B that share the same session (because they use the same session cookie), and each has Maximum Session Idle Time set to the same value N. Having established a session and visited both applications, if I then spend more than N seconds working in application A (doing lots of page loads so not timing out), if I then navigate to application B it immediately times out and sends me to its login page.

      I tried also calling APEX_UTIL.SET_SESSION_MAX_IDLE_SECONDS(N) in both applications, with p_scope defaulting to 'SESSION', noting that the API docs say "This would be the most common use case when multiple Application Express applications use a common authentication scheme and are designed to operate as a suite in a common session." However the same thing happens.

      I want the timeout to apply to the session as a whole, not to each application independently. Is this not what the above is supposed to achieve, or am I doing something wrong?

      Edited by: Tony Andrews on Jan 14, 2013 10:26 AM

      Edited by: Tony Andrews on Jan 14, 2013 10:29 AM
        • 1. Re: Session timeout with multi-application session

          You didn't say so I'll ask: does this ever work as expected? Say if you're only in application a for a few minutes?


          blog: http://DanielMcghan.us/
          work: http://SkillBuilders.com/APEX/
          • 2. Re: Session timeout with multi-application session
            Tony Andrews

            Yes, if you only wait a few minutes and then go back to the other application you still have a session. It's only when you stay away longer than the timeout setting that you get timed out.

            • 3. Re: Session timeout with multi-application session
              Christian Neumueller-Oracle

              in 4.2, we introduced a built-in global app item (FSP_SESSION_TIME) to save the last request time, max idle and max session length time. In 4.1.1 and earlier, the values were stored in built-in app items per application. However, when you called APEX_UTIL.SET_SESSION_MAX_IDLE_SECONDS with SESSION scope, it should have updated the timeout in all apps that span the session. This should also have worked. Can you try to reproduce this case on apex.oracle.com? Although it's already on 4.2.1, maybe this helps to isolate the problem.

              • 4. Re: Session timeout with multi-application session
                Tony Andrews
                Thanks. I have set up the 2 demo applications on apex.oracle.com - start here:


                Login as demo/demo.

                There is a button at the top of the page to go to the other application, and a button there to return. Both applications are set to timeout after 30 idle seconds.

                This is all working perfectly on apex.oracle.com - I can sit in one of the applications for a minute just submitting the page or refreshing it, and then navigate to the other app using the button with no problem. It works whether I just set the Max Idle Seconds attribute to 30 in each app, or whether I also have an application process that runs on page load and calls APEX_UTIL.SET_SESSION_MAX_IDLE_SECONDS with SESSION scope. However in my 4.1 environment when you navigate to the second app after "working" for more than 30 seconds in the first, you have been timed out (whether or not I use APEX_UTIL.SET_SESSION_MAX_IDLE_SECONDS with SESSION scope).

                So it appears to me that this works as expected in 4.2 but not in 4.1.
                • 5. Re: Session timeout with multi-application session
                  Christian Neumueller-Oracle
                  Hi Tony,

                  good to hear that it's no issue anymore in 4.2. Looking at the 4.1.1 code, it seems that the problem is how we stored the last access time. While the APEX_UTIL call with SESSION scope would set the idle timeout for both apps, we maintained a timer (FSP_LAST_REQUEST_TIME) for each app. Working in TIMTEST1 only updated the timer for TIMTEST1, not for TIMTEST2. After working with one app and switching back to the other app, Apex sees the stale timer and decides that the session expired. This is clearly a bug. The bad news is that a backport is not feasible, because so much has changed in session state management. Do you already have plans to upgrade to 4.2?

                  • 6. Re: Session timeout with multi-application session
                    Tony Andrews
                    Yes we will be upgrading to 4.2 in due course and can live with this for now. Thanks for your help.