Issue
- How the sessions are managed in Liferay and what are all the different types to configure the same. Also, whether the Liferay session work for the javascript disabled browsers?
Environment
- Liferay DXP 7.1
Resolution
- How sessions are managed in Liferay
Application server will manage session expirations, JSESSIONID cookie helps to identify sessions between browser and server, if cookies are not enabled then a ;jsessionid= part is appended to the URL and the sessionid will be handled there. By default, the session timeout is 15 minutes
- Different types to configure the session in Liferay
These are the settings that can be configured in portal-ext.properties
##
Please note, that for session extension javascript is required, so that cannot work without Javascript
## Session
##
#
# Set the maximum number of key value pairs that can be stored in the
# session via SessionClicks. See LPS-20096 for more information.
#
# Env: LIFERAY_SESSION_PERIOD_CLICKS_PERIOD_MAX_PERIOD_ALLOWED_PERIOD_VALUES
#
session.clicks.max.allowed.values=1024
#
# Set the maximum size of key and value terms that can be stored in the
# session via SessionClicks. See LPS-20096 for more information.
#
# Env: LIFERAY_SESSION_PERIOD_CLICKS_PERIOD_MAX_PERIOD_SIZE_PERIOD_TERMS
#
session.clicks.max.size.terms=1024
#
# Specify the delimiter for parsing compound session IDs.
#
# This addresses an issue with Weblogic and all application servers where
# the application server appends a unique JVM code to the session ID. See
# LPS-18587.
#
# Set a blank delimiter for the portal to attempt to detect a delimiter
# based on the application server.
#
# Env: LIFERAY_SESSION_PERIOD_ID_PERIOD_DELIMITER
# Env: LIFERAY_SESSION_PERIOD_ID_PERIOD_WEBLOGIC_PERIOD_DELIMITER
#
session.id.delimiter=
session.id.weblogic.delimiter=!
#
# Specify the maximum number of sessions allowed. A value of 0 or less than
# 0 means there is no limit. A value greater than 0 limits the number of
# sessions by invalidating newer sessions.
#
# This property is not used unless the session max allowed filter is
# enabled.
#
# Env: LIFERAY_SESSION_PERIOD_MAX_PERIOD_ALLOWED
#
session.max.allowed=0
#
# Specify the number of minutes before a session expires. This value is
# always overridden by the value set in web.xml.
#
# Env: LIFERAY_SESSION_PERIOD_TIMEOUT
#
session.timeout=15
#
# Specify the number of minutes before a warning is sent to the user
# informing the user of the session expiration. Specify 0 to disable any
# warnings.
#
# Env: LIFERAY_SESSION_PERIOD_TIMEOUT_PERIOD_WARNING
#
session.timeout.warning=1
#
# Set the auto-extend mode to true to avoid having to ask the user whether
# to extend the session or not. Instead, it will be automatically extended.
# The purpose of this mode is to keep the session open as long as the user's
# browser is open with a portal page loaded. It is recommended to use this
# setting along with a smaller "session.timeout", such as 5 minutes, for
# better performance.
#
# Env: LIFERAY_SESSION_PERIOD_TIMEOUT_PERIOD_AUTO_PERIOD_EXTEND
#
session.timeout.auto.extend=false
#
# When the property "session.timeout.auto.extend" is set to true, set the
# number of seconds between when the extend process is launched and the
# actual expiration of the session.
#
# Env: LIFERAY_SESSION_PERIOD_TIMEOUT_PERIOD_AUTO_PERIOD_EXTEND_PERIOD_OFFSET
#
session.timeout.auto.extend.offset=10
#
# Set this to true if the user is redirected to the default page when the
# session expires.
#
# Env: LIFERAY_SESSION_PERIOD_TIMEOUT_PERIOD_REDIRECT_PERIOD_ON_PERIOD_EXPIRE
#
session.timeout.redirect.on.expire=false
#
# Portlets that have been configured to use private session attributes in
# liferay-portlet.xml may still want to share some session attributes. This
# property allows you to configure which session attributes will be shared.
# Set a comma delimited list of attribute names that will be shared when the
# attribute name starts with one of the specified attribute names. For
# example, if you set the value to "hello_,world_", then all attribute names
# that start with "hello_" or "world_" will be shared.
#
# Note that this property is used to specify the sharing of session
# attributes from the portal to the portlet. This is not used to specify
# session sharing between portlet WARs or from the portlet to the portal.
#
# Env: LIFERAY_SESSION_PERIOD_SHARED_PERIOD_ATTRIBUTES
#
session.shared.attributes=\
COMPANY_,\
LIFERAY_SHARED_,\
PORTLET_RENDER_PARAMETERS_,\
PUBLIC_RENDER_PARAMETERS_POOL_,\
USER_
#
# Explicitly exclude attributes that are shared from the portal to portlets.
#
# Env: LIFERAY_SESSION_PERIOD_SHARED_PERIOD_ATTRIBUTES_PERIOD_EXCLUDES
#
session.shared.attributes.excludes=USER_PASSWORD
#
# Set this to true to store the user's password in the session.
#
# Env: LIFERAY_SESSION_PERIOD_STORE_PERIOD_PASSWORD
#
session.store.password=false
#
# Set this to false to disable all persistent cookies. Features like
# automatically logging in will not work.
#
# Env: LIFERAY_SESSION_PERIOD_ENABLE_PERIOD_PERSISTENT_PERIOD_COOKIES
#
session.enable.persistent.cookies=true
#
# Set this to true to enable sessions when cookies are disabled. See
# LEP-4787. This behavior is configurable because enabling it can break
# certain setups.
#
# Env: LIFERAY_SESSION_PERIOD_ENABLE_PERIOD_URL_PERIOD_WITH_PERIOD_SESSION_PERIOD_ID
#
session.enable.url.with.session.id=false
#
# The login process sets several cookies if persistent cookies are enabled.
# Set this property to set the domain of those cookies.
#
# Env: LIFERAY_SESSION_PERIOD_COOKIE_PERIOD_DOMAIN
#
#session.cookie.domain=
#
# Set this to true to use the full hostname for cookie domain values. By
# default the domain is trimmed to use only the root domain to allow cross
# domain logins.
#
# Env: LIFERAY_SESSION_PERIOD_COOKIE_PERIOD_USE_PERIOD_FULL_PERIOD_HOSTNAME
# Env: LIFERAY_SESSION_PERIOD_COOKIE_PERIOD_USE_PERIOD_FULL_PERIOD_HOSTNAME_OPENBRACKET_TOMCAT_CLOSEBRACKET_
#
session.cookie.use.full.hostname=false
session.cookie.use.full.hostname[tomcat]=true
#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevent phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
# Env: LIFERAY_SESSION_PERIOD_ENABLE_PERIOD_PHISHING_PERIOD_PROTECTION
#
session.enable.phishing.protection=true
#
# Set a comma delimited list of attribute names that will be copied to the
# new session when the property "session.enable.phishing.protection" is set
# to true.
#
# Env: LIFERAY_SESSION_PERIOD_PHISHING_PERIOD_PROTECTED_PERIOD_ATTRIBUTES
#
session.phishing.protected.attributes=\
CAS_LOGIN,\
HTTPS_INITIAL,\
LAST_PATH,\
OPEN_ID_CONNECT_SESSION,\
SAML_SP_SESSION_KEY,\
SAML_SSO_REQUEST_CONTEXT,\
SETUP_WIZARD_PASSWORD_UPDATED
#
# Set this to true to test whether users have cookie support before allowing
# them to sign in.
#
# Env: LIFERAY_SESSION_PERIOD_TEST_PERIOD_COOKIE_PERIOD_SUPPORT
#
session.test.cookie.support=true
#
# Set this to true to allow
# com.liferay.portal.kernel.servlet.SerializableSessionAttributeListener to
# test if an added session variable is serializable. Unserializable values
# stored into the session will cause a session to not replicate if session
# replication was enabled by the application server.
#
# Env: LIFERAY_SESSION_PERIOD_VERIFY_PERIOD_SERIALIZABLE_PERIOD_ATTRIBUTE
#
session.verify.serializable.attribute=true
#
# Input a list of comma delimited class names that extend
# com.liferay.portal.struts.SessionAction. These classes will run at the
# specified event.
#
#
# Servlet Session Create Event
#
# Env: LIFERAY_SERVLET_PERIOD_SESSION_PERIOD_CREATE_PERIOD_EVENTS
#
servlet.session.create.events=com.liferay.portal.events.SessionCreateAction
#
# Servlet Session Destroy Event
#
# Env: LIFERAY_SERVLET_PERIOD_SESSION_PERIOD_DESTROY_PERIOD_EVENTS
#
servlet.session.destroy.events=\
com.liferay.portal.events.SessionDestroyAction,\
com.liferay.portal.events.ChannelSessionDestroyAction
#
# Set this to true to track user clicks in memory for the duration of a
# user's session. Setting this to true allows you to view all live sessions
# in the Admin portlet.
#
# This property is deprecated and will be removed in a future release.
#
# Env: LIFERAY_SESSION_PERIOD_TRACKER_PERIOD_MEMORY_PERIOD_ENABLED
#
session.tracker.memory.enabled=true
#
# Set this to true to track user clicks in the database after a user's
# session is invalidated. Setting this to true allows you to generate usage
# reports from the database. Use this cautiously because this will store a
# lot of usage data.
#
# This property is deprecated and will be removed in a future release.
#
# Env: LIFERAY_SESSION_PERIOD_TRACKER_PERIOD_PERSISTENCE_PERIOD_ENABLED
#
session.tracker.persistence.enabled=false
#
# Set this to true to convert the tracked paths to friendly URLs.
#
# This property is deprecated and will be removed in a future release.
#
# Env: LIFERAY_SESSION_PERIOD_TRACKER_PERIOD_FRIENDLY_PERIOD_PATHS_PERIOD_ENABLED
#
session.tracker.friendly.paths.enabled=false
#
# Enter a list of comma delimited paths that should not be tracked.
#
# This property is deprecated and will be removed in a future release.
#
# Env: LIFERAY_SESSION_PERIOD_TRACKER_PERIOD_IGNORE_PERIOD_PATHS
#
session.tracker.ignore.paths=\
/portal/render_portlet,\
\
/document_library/get_file - Whether the Liferay session work for javascript disabled browser
Yes, it should work with some limitations, but the most limitation will be related to the UI. For session handling only the session extension is handled by javascript on the browser side.
Additional Information
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In