7.0.X, 7.1.X, 7.2.X, 7.3.X, Master
The session extension functionality is based on following portal properties:
- Out of the box, the behaviour is to only auto-extend the guest users before the session times out, but it can be enabled for every user setting session.timeout.auto.extend to true.
- The session.timeout must match with the session timeout configured in the web.xml of the application ( tomcat-9.x.x/webapps/ROOT/WEB-INF/web.xml => session-config => session-timeout )
- The session.timeout.auto.extend.offset controls the number of seconds the /c/portal/extend_session request will be executed before the session is timed out.
Current behavior of session extension is to send the extend_session request some seconds before the session has expired:
- session.timeout*60 - session.timeout.auto.extend.offset
For example for the out-of-the-box configuration, 10 seconds before the session has expired (15*60-10 = 890 seconds after the browser received the content from the server)
For the authenticated users, if you have enable session.timeout.auto.extend=true, Liferay should also warn the customer that the session was expired, instead of continuing trying to extend the session that has already expired.
This causes some inconveniences that we should avoid:
- The server will receive useless requests to extend_session that will never correctly extend the session as it is already expired
- If session.timeout.auto.extend=true is enabled, the authenticated user won't receive the warning message that says: "Due to inactivity, your session has expired. Please save any data you may have entered before refreshing the page" so they will potentially lose any pending work they didn't save.
- In the log files, there will be warn traces "Unable to extend the HTTP session. Review the portal property "session.timeout" if this warning is displayed frequently." but these warn traces are not caused by any server misconfiguration, so they can cause some misunderstanding to our customers. (for more information see
In order to solve it, we have to only extend the session in case:
If elapsed >= sessionLength, we have just to execute the session expiration functionality, that will stop the calls and It will display the warning to the final customer in the user interface.
Current session extension code in https://github.com/liferay/liferay-portal/blob/db830a8ca34ce65f4d588f36dc09b3b0f3f31cb6/modules/apps/frontend-js/frontend-js-aui-web/src/main/resources/META-INF/resources/liferay/session.js#L232-L327 checks the session timeout every second, so in theory it should extend the session correctly.
But there are some situations where this is not true:
- The user's computer can be suspended/hibernated anytime without closing any application, when the user starts it again, the existing browser tab will try to extend the session even the session was created the day before.
- Configure Liferay with session.timeout.auto.extend=true in the portal.properties, to enable auto extend for the authenticated users.
- Reduce the session timeout from 15 to 2 minutes (this is not completely necessary to reproduce the issue, but we will reduce the reproduction time to 2 minutes)
- Configure Liferay with session.timeout=2 in the portal.properties
- Change the session timeout in the Tomcat configuration: tomcat/webapps/ROOT/WEB-INF/web.xml => "session-timeout" setting to 2 minutes.
- Start the Liferay server
- Login in your browser with any user
- Freeze your browser until the session is expired:
- To do this you can suspend/hibernate your computer for 2 minutes
- In Linux you can also simulate this executing:
- pkill -STOP -f chrome (or pkill -STOP -f firefox if you use firefox)
- wait 2 minutes
- pkill -CONT -f chrome (or pkill -CONT -f firefox if you use firefox)
- The browser is back to normal:
- The warn message "Due to inactivity, your session has expired. Please save any data you may have entered before refreshing the page" is displayed in the user interface.
- There are no warn traces in the log files
- There is no warn message in the user interface.
- There is a warn trace in the log file that says "Unable to extend the HTTP session. Review the portal property "session.timeout"