Configuring Apache Shiro session timeout

The Common Platform includes Apache Shiro Java security framework. Apache Shiro is used by products on the Common Platform for performing authentication, authorization and session management.

If Apache Shiro is installed for a product-specific profile, its configuration file can be found in the following location:


For example, for Integration Server's default profile, the location would be:


Per default, Apache Shiro is configured to store sessions of logged in users in memory. The default session timeout is 30 minutes, which means that if a user session remains idle for 30 or more minutes the session expires. An expired session is removed and the user is required to log in again. This is suitable for most applications, but might cause out of memory issues if an application experiences a large ammount of sessions. For such applications, it is recommended to configure lower session timeout and decrease the session validation interval (Shiro validates sessions at regular intervals and any invalid/expired sessions are removed from the session data store). This can be done by adding the following properties in shiro.ini:


The values are specified in milliseconds, so the above configuration example sets both session timeout and validation interval to 1 minute.

For more information, see Apache Shiro Session Management: