This discussion is archived
6 Replies Latest reply: Jan 15, 2013 9:10 AM by Tony Andrews RSS

Session timeout with multi-application session

Tony Andrews Explorer
Currently Being Moderated
(APEX 4.1.1.00.23)

I have two applications A and B that share the same session (because they use the same session cookie), and each has Maximum Session Idle Time set to the same value N. Having established a session and visited both applications, if I then spend more than N seconds working in application A (doing lots of page loads so not timing out), if I then navigate to application B it immediately times out and sends me to its login page.

I tried also calling APEX_UTIL.SET_SESSION_MAX_IDLE_SECONDS(N) in both applications, with p_scope defaulting to 'SESSION', noting that the API docs say "This would be the most common use case when multiple Application Express applications use a common authentication scheme and are designed to operate as a suite in a common session." However the same thing happens.

I want the timeout to apply to the session as a whole, not to each application independently. Is this not what the above is supposed to achieve, or am I doing something wrong?

Edited by: Tony Andrews on Jan 14, 2013 10:26 AM

Edited by: Tony Andrews on Jan 14, 2013 10:29 AM
  • 1. Re: Session timeout with multi-application session
    dmcghan Oracle ACE
    Currently Being Moderated
    Tony,

    You didn't say so I'll ask: does this ever work as expected? Say if you're only in application a for a few minutes?

    Regards,
    Dan

    blog: http://DanielMcghan.us/
    work: http://SkillBuilders.com/APEX/
  • 2. Re: Session timeout with multi-application session
    Tony Andrews Explorer
    Currently Being Moderated
    Dan,

    Yes, if you only wait a few minutes and then go back to the other application you still have a session. It's only when you stay away longer than the timeout setting that you get timed out.

    Tony
  • 3. Re: Session timeout with multi-application session
    Christian Neumueller Expert
    Currently Being Moderated
    Hi,

    in 4.2, we introduced a built-in global app item (FSP_SESSION_TIME) to save the last request time, max idle and max session length time. In 4.1.1 and earlier, the values were stored in built-in app items per application. However, when you called APEX_UTIL.SET_SESSION_MAX_IDLE_SECONDS with SESSION scope, it should have updated the timeout in all apps that span the session. This should also have worked. Can you try to reproduce this case on apex.oracle.com? Although it's already on 4.2.1, maybe this helps to isolate the problem.

    Regards,
    Christian
  • 4. Re: Session timeout with multi-application session
    Tony Andrews Explorer
    Currently Being Moderated
    Thanks. I have set up the 2 demo applications on apex.oracle.com - start here:

    http://apex.oracle.com/pls/apex/f?p=TIMTEST1

    Login as demo/demo.

    There is a button at the top of the page to go to the other application, and a button there to return. Both applications are set to timeout after 30 idle seconds.

    This is all working perfectly on apex.oracle.com - I can sit in one of the applications for a minute just submitting the page or refreshing it, and then navigate to the other app using the button with no problem. It works whether I just set the Max Idle Seconds attribute to 30 in each app, or whether I also have an application process that runs on page load and calls APEX_UTIL.SET_SESSION_MAX_IDLE_SECONDS with SESSION scope. However in my 4.1 environment when you navigate to the second app after "working" for more than 30 seconds in the first, you have been timed out (whether or not I use APEX_UTIL.SET_SESSION_MAX_IDLE_SECONDS with SESSION scope).

    So it appears to me that this works as expected in 4.2 but not in 4.1.
  • 5. Re: Session timeout with multi-application session
    Christian Neumueller Expert
    Currently Being Moderated
    Hi Tony,

    good to hear that it's no issue anymore in 4.2. Looking at the 4.1.1 code, it seems that the problem is how we stored the last access time. While the APEX_UTIL call with SESSION scope would set the idle timeout for both apps, we maintained a timer (FSP_LAST_REQUEST_TIME) for each app. Working in TIMTEST1 only updated the timer for TIMTEST1, not for TIMTEST2. After working with one app and switching back to the other app, Apex sees the stale timer and decides that the session expired. This is clearly a bug. The bad news is that a backport is not feasible, because so much has changed in session state management. Do you already have plans to upgrade to 4.2?

    Regards,
    Christian
  • 6. Re: Session timeout with multi-application session
    Tony Andrews Explorer
    Currently Being Moderated
    Yes we will be upgrading to 4.2 in due course and can live with this for now. Thanks for your help.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points