Web UI Sessions

While connecting to any of the web interface pages of EJBCA, an HTTP(S) session is initialized. By default, this session lasts for 15 minutes and then terminates unless there has been any page activity during that time.  Since authentication to the web interfaces is performed using a client certificate, a terminated session will be re-initialized (with a new sessionId) as soon as the browser is refreshed. The browser holds the client certificate, hence there's no straightforward way of completely terminating the session and force re-authentication from the server-side (logout) unless the browser is restarted after session termination.

How sessions behave can be configured to a certain extent by administrators, see Configuring Session Timeout.

Administration Web

Accessing the Administration Web requires a client certificate with sufficient access rights. Each new session will create an audit log entry, stating details regarding the "Log-in".

Terminated and timed-out sessions are also audit logged. Note that this is not necessarily the exact point in time when the browser is closed, rather when the session ends.

Configuring Session Timeout

The session timeout, i.e. the allowed period of inactivity before the session is terminated, is configured in Admin WebSystem Configuration > Basic Configuration. To set the session timeout, select Enable Session Timeout and then specify the timeout (in minutes). Note that this is not required to enable the default session timeout of 15 minutes. Rather overriding it by a longer or shorted allowed period of inactivity before the session terminates. Enabling the Enable Session Timeout setting will redirect the user to a "Logout page" once the session ends. This configuration applies to Admin Web only.

The session timeout feature requires JavaScript enabled in the client browser.

Logout

Clicking the Logout button in the Admin Web menu will immediately terminate the current session and redirect the user to the "Logout Page" in the RA Web on the public protocol (default http://[...] port 8080) to prevent a new session from being initialized. 

Forcing re-authentication

As mentioned above, as the browser holds the certificate, re-authentication will not take place while navigating back to the Admin Web. To force re-authentication (from the client side), close the browser after logout.

RA Web

Sessions in the RA Web behaves slightly different from the Admin Web. The default timeout works the same way. However, there's a session keep-alive service which lowers the session timeout and actively re-validates the session to keep the RA user logged in while being able to detect when the browser is closed and terminate the session. Initialized and ended sessions of the RA Web will be written to the server log, though not audit logged.