Don't understand sessionTimeout

I’m seeing some behaviors I don’t understand related to the session timeout setting in Lucee Admin.

  • If I set it to 0 days, 0 hours, 0 minutes, and 10 seconds, I can wait at least 30 seconds, maybe even longer, and hit the same admin page again, without being asked to log in again. Why is that? I thought my session would expire after 10 secs, and I’d need to log in again. Is there some hidden minimum value? (Just to be clear, I only did this for testing some related code under development, it’s not practical for real life.)

  • With that same admin setting, getApplicationSettings().sessionTimeout comes back as 0.020833333333, which as I understand it is a timespan, i.e., a number of days, so that value * 24 * 60 is minutes === 30 minutes. Why doesn’t that line up with what I see in Lucee Admin?

  • It doesn’t appear that sessions actually time out in the 30 minutes that indicates either. It’s significantly shorter than that, though longer than the 10 secs set in admin, as noted above. I didn’t try to nail down exactly how long it actually is, didn’t see the point, would rather understand.

Am I thinking about this completely wrong? It seems pretty basic, but something’s clearly not right, either in Lucee or my understanding. This is Lucee, if that matters.

I set the session timeout to 45 minutes in Web admin, and restarted Lucee just in case, but the getApplicationSettings().sessionTimeout value didn’t change.

Stupid question but have you tried putting the settings in Application.cfc?

this.sessionmanagement = true;
this.sessiontimeout = CreateTimeSpan( 0, 0, 30, 0 );

Thanks for jumping in Mark, not stupid, and no, haven’t tried that. However, while it might get the behaviors to be more consistent, I’d consider it more potentially diagnostic than an actual solution.

Re actual session behavior, users of our software expect to be able to control server behavior with the Lucee admin settings, as usual, it should work. They shouldn’t have to modify our software to change the session timeout.

Re the function return, I need to get that value to tell some other things about it. That should work too, regardless of how it was set.

Anyone care to confirm or dispute what I’m seeing, or my understand of how it should work?

I did some testing with Lucee 4.5 and 5.2 both on Jetty and they seem to be working here without issue.