WebSphere Portal Server - Need help in understanding how portal sessions work

Author

Need help in understanding how portal sessions work

2007-05-02, 1:20 am

The basic goal is this: i need to be able to specify different session timeouts for different user types (based on roles). For example, if some users have a specific role then the session timeout needs to be 8 hours (yes, i'm not kidding), but other users
can have just a half-hour session. I would prefer to be able to do this programatically, but at this stage would be happy with any kind of solution.

Having a servlet background i thought no worries, i'll just use the setMaxInactiveInterval method of the session object. So i wrote some basic tests and have discovered some things about portal sessions that i don't understand:

Note: My testing has been on Portal 5.1 Test Environment and RAD6. I don't know if there will be a difference in behavour between this and an actual proper deployment?

After logging in, if any portlet uses the code request.getPortletSession(false) the result is null. So already i have a conundrum: a session must be created at logon (because i get back a jsessionid cookie, and because if i navigate around things are show
ing, but if i leave the browser alone for 30 minutes and then try to navigate somewhere i get bounced back to the logon page). The conundrum being that if a session does exist, why does request.getPortletSession(false) return null? This seems to imply th
at "the session (portal)" and "the session (portlet)" are two different things.

Scratching my head, but forgeing onwards by forcing a 'session' creation with request.getPortletSession(true) and then at some point calling setMaxInactiveInterval(60) i find the following:

- setting the max inactive interval to 1 minute doesn't cause it to expire after 1 minute of activity, it expires after 5 minutes. I'm not worried about that, i assume there is some clean-up operation running every 5 minutes to clean-up inactive sessions
. Although i mention it because i was wondering where this cleanup frequency is specified? I couldn't find any obvious config. But setting the inactiveInterval for one user at 60 and another user at 600 gets reasonable results in that user1 session data d
isappears after 5 minutes of inactivity and user 2 session data disappears after 10 minutes of inactivity.

- the bit i don't understand/like is the behavour: After expiry due to inactivity and then attempting to navigate around it seems that request.getPortletSession(false) returns null again. That's OK because it seems the session data has been cleaned-up, b
ut i was really hoping that it would bounce me back out to the logon page! The fact that it doesn't seems to be more evidence that the "portal session" and the "portlet session" are two different things.

So i would be really grateful if somebody could explain what is going on, or how to achieve the goal.

Oliver Then

2007-05-02, 7:20 am

You are correct, the portal session and the portlet sessoin are two
different things. As far as I know, according to the J2EE spec each
application (portlet) has to have its own session which must be
independent of the global HTTP session. When you log into the portal,
you get a portal session which has a default timeout of 30 minutes (can
be configured in appserver). However, a portlet session only gets
created when the portlet code requires a session. This is why your call
getSession(false) returned "null". I assume the portlet did not create a
session so far, therefore no session was available.
Your question about getting redirected to the login page, this only
happens when the portal session times out. Eventually the LTPA token has
to be considered for this behavior as well, depending on your security
configuration.
The redirect to the login page does not happen when a portlet session
timed out. I think this is correct behavior, because you would not want
to get redirected to the login page just because the session of one
portlet timed out, but your portal session is still valid and active.

Oliver