Configured session time-out is not accurately enforced in SASĀ® web applications


After configuring the web application session time-out as described in Configure the HTTP Session Time-Out Interval, the session might not expire at exactly the specified time-out value.

Instead, an additional five-minute grace period occurs via a Session Time-out warning pop-up box, which is displayed when the session reaches its idle limit. As a result, the actual session time-out exceeds the configured value.

Session Time-out: Your session is about to expire.

This issue occurs in some SAS web applications where users are redirected to a Session Time-out warning pop-up window.

Example Scenario

If you configure the session time-out for 15 minutes, a warning occurs at the 15-minute mark. The session remains active for another five minutes and effectively times out after 20 minutes of inactivity.

Workaround

To ensure that the session time-outs behave as expected according to your configuration, the Session Time-out warning pop-up box will now be displayed five minutes before the actual session time-out.

If you need assistance identifying or applying the hot fix, contact SAS Technical Support.