Genpact Cora Knowledge Center

Support

Session Configuration

Starting with V10.0, Cora SeQuence has been renamed to Cora Orchestration.

V9.3 and later

Overview

Cora SeQuence uses server-side memory cache and database persistence to store user's session data between requests.
Client-side cookies are used to store session state between requests. Therefore, browser cookies must be enabled and unblocked when running Cora SeQuence site applications.

You can control session cache configuration, database persistence, and browser cookie behavior in the web.config file.

Session properties

Configuration is optional for most properties.
The application and enabled properties are explicitly tagged in the root position in the web.configfile.

<sequence.engine>
  <web>
      <session application="Flowtime" enabled="true" />
  </web>
</sequence.engine>

You can also configure the session properties for some specific location by setting these properties under the <location path="location name"> tag in the web.config file.

PropertyDescription
enabledSpecifies if the Cora SeQuence session is used or not.
  • <web>:  Default value is true
  • <location path="SequenceServices">: Default value is false
lifetime Specifies the time period, in minutes, after which the session authentication cookie expires.
Default value: 20
NOTE
To set a value other than default, make sure to configure this property in the root position of the <web> location in the web.config file.
Starting with V10.2, a session expiration warning message is displayed n minutes before the session authentication cookie expires. You can configure the Portal.Session.SessionWarningCountdownTime application variable to determine when to display the session expiration warning.

For details about the application variable, see this article.
sessionCookiePathStandard browser cookie property.
Restricts the cookie to a specific path.
Default value: /
maxLifetime Specifies the time period, in minutes, for maximum cookie expiration.
maxLifeTime is not a sliding expiration property. For security purposes, login is required after the maxLifeTime period expires, even if the user has been actively using the application during the specified time period.
Default value: 1440
sessionCookieSecure Standard browser cookie property.
If set to “true”, the cookie is sent with the client’s request only over a secure connection (SSL).
Default value: false

NOTE 
After initial installation, if you have configured the Cora SeQuence web application to work with HTTPS, you need to change the configuration to send the session cookie using secure connection only.
sessionCookieName Contains the prefix of the unique cookie name as it appears in the browser.
The actual cookie name includes the prefix followed by the Application property. For example, SQSessionAdministration.
Default value: SQSession
applicationIdentifies the application name.
This property accepts any value when manually configured.
Default values: Administration or Flowtime. 
sessionCookieDomain Standard browser cookie property.
Specifies the cookie domain.
Default value: ""
cacheMaxSizeSpecifies the maximum number of sessions stored in the cache.
Default value: 0 (unlimited)
cacheItemFadeTime period, in minutes, during which the system keeps the data related to a specific session after the session has finished.
Default value: 10  
reuseSessionEnables the session token to be reused across browsers or devices for the same user in the same application. 
  • If set to true, when a user signs in to an application from multiple browsers or devices, the user's session is shared across all access-point clients and the user is not signed out from the previous browser or device. 
  • If set to false, the users’ session expires on any previously signed-in browser or device.

Default value: true


V8.7-V9.2

Overview

Starting with Cora SeQuence V8.7, user data is stored using a session authentication module that can be controlled by a new Session element in the  web.config file.
Using ASP.NET Session State object for user authentication persistence,  referred to as AuthenticatedUser, is no longer supported.

The ASP.NET session state is disabled by default in Flowtime installations, but it is still available in Administration installations to support backward compatibility. 

Cora SeQuence session configuration

Cora SeQuence uses a cookie to store users’ state between requests. You can configure the web.config file to control the usage and attributes of the cookie.  

Just like with earlier versions of Cora SeQuence, cookies must be enabled on the client browser to ensure that the Administration and Flowtime sites function properly.

Cora SeQuence generates a unique session cookie name for each site, Administration and Flowtime.

Properties

The following table describes the attributes that you can configure for Cora SeQuence session.

Configuration is optional.

PropertyDescription
enabledSpecifies if the Cora SeQuence session is used or not.
This property is defined in two locations in the web.config file:
  • <web>:  enabled and used for authentication
    • Default value: "true"
  • <location path="SequenceServices">: by default, the session persistence is disabled for SequenceServices location.
lifetime Specifies the time period, in minutes, after which the session authentication cookie expires. Same behavior as in ASP .NET session cookie.

Default value: "20" 

sessionCookiePathStandard browser cookie property.
Restricts the cookie to a specific path.

Default value: ”/”

maxLifetime Specifies the time period, in minutes, for maximum cookie expiration.
maxLifeTime is not a sliding expiration property. For security purposes, login is required after the maxLifeTime period expires, even if the user has been actively using the application during the specified time period.

Default value: "1440" 

sessionCookieSecure Standard browser cookie property.
If set to “true”, specifies that the cookie is sent with the client’s request only over a secure connection (SSL).
Default value: "false"
Note: After initial installation, if you have configured the Cora SeQuence web application to work with HTTPS, you need to change the configuration to send the session cookie using secure connection only.
sessionCookieName Standard browser cookie property.
Contains the prefix of the unique cookie name as it appears in the browser.
The unique name is generated dynamically in runtime for each application, and cannot be controlled in the web.config file. The actual cookie name includes the prefix followed by a unique ID. For example, SQSession_123456.
Default value: "SQSession"
sessionCookieDomain Standard browser cookie property.
Specifies the cookie domain.

Default value: ""


IMPORTANT

  • If you used the ASP.NET session state to store and retrieve any data in your Flowtime custom implementation, when you upgrade to V8.7, you need to enable the ASP.NET session state in the web.config file.  
  • In future versions of Cora SeQuence, the ASP.NET session state will be disabled by default in Administration installations too.