Question

An analysis of Mendix session behaviour and some recommendations, what do you think?

4

I dived into the Mendix session behavior and want to share my findings in the hope that it helps some one and that Mendix will rethink the session (timeout) behavior. When you are using Firebug you'll notice the #KeepAlive request that the client will send to the server. In the M2ee config it's possible to set EnableKeepAlive to False. I expected that the client will stop sending the #KeepAlive request, but that isn't the case. After some debugging I found out what the EnableKeepAlive settings really does, namely: "EnableKeepAlive : True means that the KeepAlive request that the client is interpreted as user interaction and that it will reset the Session timeout." "EnableKeepAlive : False means that the client still send the KeepAlive request but now the server isn't interpreting the request as user action and the session timeout won't be reset." Example 1 So what does that mean. An example: the timeout is configured as 10 minutes and EnableKeepAlive has value True. This are the Mendix defaults. When a user logs in the client starts sending #KeepAlive request every 5 minutes (it's always at the frequency of half of the session time out value). Let's say the user does nothing, just let the app stay opened. Then his session will NEVER expire. That's because of rule 1, #KeepAlive request is seen as user action by the server. So the conclusion: Mendix sessions doesn't expire by default when the user has the browser opened. The only scenario when the server removes the session at session timeout in this case is when the browser is closed and the user didn't properly logout. Example 2 For the most application that's not what you want. The only thing you can do is set EnableKeepAlive to False. Now the client will still send the #KeepAlive request but the server doens't see it as user action and you're session will be removed server side if the user doesn't do anything in the client. Great, you will think, that's what we wanted. But now you'll have an other issue. Because the #KeepAlive is send at half of the session timeout time it can take minutes for the client before it's aware of the fact that the session is removed. Example: session timeout = 10 minutes, EnableKeepAlive = False. User logs in and this can happen: Minute 5 - #KeepAlive Minute 7 - User does something, serverside the timeout value is back to 0 Minute 10 - #KeepAlive Minute 17 - Server removes session because of 10 minutes timeout Minute 20 - #KeepAlive by client and client redirect the user to the login form. So here's a gap of three minutes before the client redirects the user. EDIT: the client redirects because it gets a 401 Not authorized on the #KeepAlive request. My suggestions for changing the platform behavior (and I'm curious what the opinion of the community is) are: Set EnableKeepAlive default to False. Introduce a new property CheckSessionAlive in milliseconds. At that interval the client checks if the session is alive so you can prevent a gap of three minutes. Optional: Rename the EnableKeepAlive property to "InterpretClientKeepAliveAsUserAction", because that's what it does and is much clearer. With this additions you can do the things you actually want. For example: EnableKeepAlive = false, SessionTimeout = 10 minutes, CheckSessionAlive = 1000MS (performance wise1000MS should probably be a minimum). With this configuration you're session will expire after 10 minutes of no action and just 1 second later you are redirected to the login form.

asked 2013-10-14

Herbert Vuijk

1 answers

Sebastiaan van den Broek · Answer 1 · 2013-10-14

It's not really acceptable to set the default property to false, I know various customers where people are logged in the entire day and want to continue working all the time, even if they leave the pc for a few minutes. The case where you log out automatically is the corner case.

There is something about this on security.stackexchange.com, see http://security.stackexchange.com/questions/43809/do-we-need-to-logout-of-webapps I quote: All-day applications: STAY LOGGED IN. For services you use all day and want quick/easy access to, e.g. Facebook, email, etc - IF this is your own private (or work) computer on a trusted network, it is a sensible trade-off to leave your browser logged in long-term.

Note this is even less strict because this is even about apps where you log back in when you go back to the URL, rather than leaving the browser window opened.

I agree that the client sending keepalives even when the server doesn't care about them is not ideal though.

And there is actually a setting you're looking for called ClusterManagerActionInterval, which defines how often expired sessions are checked. It does more than just that though, it also checks if it can unblock users after a certain time and handles some statistics, etc.

Also, you're NOT automatically redirected to the login form, the server can't/doesn't send a message to the client that it's no longer logged in. You probably get this page when you're trying to do something with the client.