loading table of contents...

8.4. Auto Logout

CoreMedia Studio provides two complementing mechanisms for automatically logging out inactive users: server-side session management and client-side activity tracking.

Jointly, these two algorithms keep the number of active sessions to a minimum, reducing the opportunity for an attacker to hijack a Studio session. The session timeouts for these algorithms can be configured separately. You should strive for a balance between security and user convenience.

Server-Side Session Management

A login to CoreMedia Studio is supported by a servlet session that is established with the web application container. If the client application in the browser does not contact the web application for a certain time, the servlet session will be closed by the container.

When the servlet session dies and the Studio client contact the server again, the condition will be detected and an appropriate error message is shown. The user will need to log in again.

Note that this timeout appears typically when the browser is closed or when the client machine is suspended or shut down. As long as Studio is open in a running browser, it continually fetches events from the server using HTTP requests. These requests keep the session alive.

You can configure the timeout in the web.xml file of the Studio web application. Most containers set a default value of 30 minutes. Because the Studio client contacts the server at least every 20 seconds, you may opt to reduce the timeout significantly. You should not reduce it to less than a couple of minutes, though, so that temporary network problems do not cause Studio to disconnect.

Client-Side Activity Tracking

In order to detect that the user is not interacting with a running CoreMedia Studio, a client-side process continually detects mouse movements and write requests, which provide a good indication of use activity.

When the user is inactive for too long, the CoreMedia Studio session is closed and the login screen is shown again. This timeout can be configured using the application property studio.security.autoLogout.delay. By default, the timeout is set to 30 minutes.