Alfresco: increase session cookie timeout

By default, Alfresco uses credential cookies which are valid for only 60 minutes. This means that users may need to log in a few times during the day.

To increase the timeout, edit files /opt/alfresco-4.2.b/tomcat/webapps/share/WEB-INF/web.xml and /opt/alfresco-4.2.b/tomcat/webapps/alfresco/WEB-INF/web.xml:

<session-config>
   <session-timeout>1440</session-timeout><!-- 1 day -->
</session-config>

And restart Alfresco.

Increasing the value further is normally useless because the cookies sent by Alfresco (or actually Tomcat) are session cookies. These kind of cookies will be deleted when the user closes his browser.

To trick the browser to keep these cookies longer, we can use Apache mod_header. First, configure an Apache virtualhost and enable mod_headers as outlined in my previous posts: 1 2.

Add the following to /etc/apache2/sites-enabled/alfresco-reverse-proxy:

Header edit Set-Cookie "^(JSESSIONID=.*)" "$1; Expires=Thu, 01-Jan-2099 00:00:00 GMT"

This will edit the "JSESSIONID" cookie sent by the Tomcat server; it will append an expiry date which lies far in the future. Reload Apache to activate the change.

Now you can increase the session-timeout value in the two web.xml files even further so the server will still accept the cookies after a longer period of inactivity.

WARNING: Security best practices dictate that sessions should expire as soon as possible. You should not touch the defaults for an Alfresco server facing the Internet, unless you really know what you are doing! Even internal servers may require extra measurements against session hijacking, depending on the sensitivity of stored documents.