Symptoms
When working with K2 smartforms you may notice that in approximately 8 hours irrespectively of whether you work with forms or not following pop up message is being presented to you:
“Your session will expire in 30 seconds. Would you like to extend it?” Yes/Close.
If you click OK, page with samrtform refreshes and all non-saved data on form will be lost.
What exactly is expires there?
How to configure/increase this time out value?
Why this window saying about extend/continue your session unable to handle this without data loss?
Diagnoses
This is expected behavior, by default every 8 hours the STS token and session will expire and be refreshed.
There are two possible behaviors when tokens expire:
1)Token is expired and you get the popup that informs you about this, you then have the option to extend it. This is noted in the popup, if you click OK to extent you will not lose any unsaved work.
2)Token is expired and you get the popup that tells you this, you ignore it and don’t click to extent. At the end of the 30 second count down, your session is renewed, this means you will be directed away from STS and back to renew it. In this case unsaved data will be lost.
This STS token expiration timeout is configurable by adjusting appropriate lines in the STS (windows/forms) web.config (in seconds, default 28800, i.e. 8 hours):
It is not possible to preserve non-saved data in such scenario as in essence the page is being refreshed to use the new tokens and consequently data will be lost. As mentioned above it is possible to configure this timeout to be 12 -14 hours, this will ensure that a token refresh is not happening during working hours (depending on working hours).
This expiration/timeout of the SAML token handled by claim provider (STS) exist for security reasons. The idea is that the SAML token becomes invalid after a certain amount of time which makes this solution more secure as in case of cookie/session hijacking it will be of limited use (token cannot be used for more than that token timeout time). Thanks to this expiration by the time attacker completes capture of the encrypted traffic, and brute force decryption ticket is likely to be outdated/invalid.
At the same time most of the real users work less than 12 hours a day and therefore log in every morning with a new SAML token and not being disturbed by this token renewal operation. There is also a mechanism to get a new token when you come close to the ‘end time’ of the SAML token. Because AJAX does not allow you to redirect like a normal browser request, so that is why smartforms application handles it like this.
Resolution
This is expected behavior and security precaution measure. Timeout setting can be increased to minimize distraction for users.
