Session timeout

After a set period of inactivity, user sessions are automatically logged off when session timeout is enabled. This applies to users that have logged into HCL Commerce; not guest sessions. Session timeout settings can be changed based on the security requirements of your site. Session timeout does not apply to requests that are cached and bypass the HCL Commerce session management code.

There are two mechanisms for session timeout in HCL Commerce:

  1. Cookie-based timeout: Session expiry is built into the WC_USERACTIVITY cookie.
  2. Activity-based timeout: When cookies are not used, the Business Context Service activity, persisted in the CTXMGMT table, is used to determine if the session is timed out.

    Examples of when this is used are when REST APIs are made with WCToken and WCTrustedToken, or when using Management Center for HCL Commerce which does not use the WC_USERACTIVITY cookie.

When a user session times out and the user had previously chosen to be remembered, the session turns into a partially authenticated session instead of a generic user session. In these circumstances, the user can continue with their request, if that API is configured to be accessible by partially authenticated users.

When requests are made using the Spring framework, the following Spring views are used:

ReLogonFormView: The user is sent to this view if the session times out and the user is not remembered.

RememberMeLogonFormView: The user is sent to this view if they are a partially authenticated user and then trying to access an API is not allowed to be accessed by a partially authenticated user.