WiscWeb - Session timeouts

The following document will walk you through the information we have relating to timeout settings that could affect your session in WiscWeb. Any of these timeouts could affect your session and require you to re-authenticate. For example, your Shib session could expire before your MFA session. There is no clear, defined “timeout” period.

Terminology

Session
A session is considered the time you are actively logged into and interacting with a tool or service. 

Timeout
A feature or setting whereby users are logged out of their current authenticated session. This is typically because you've been inactive for a certain period of time or you've reached the max session time. There are many tools that we use every day and each can have a different designated timeout period. 

Factors that influence timeouts

There are many factors that can influence session timeouts:

Shibboleth

Timeout session: 8 hours

Shibboleth is the single sign-on solution that we use at UW-Madison to authenticate into campus tools. When you have to login to a tool using your campus NetID credentials, you are likely authenticating via Shibboleth. 

MFA/Duo

Timeout session: 12 hours

Multi-factor authentication (also known as Duo) is a tool used on campus to offer a second level of security when logging in. Users typically first authenticate with Shibboleth (username and password) and then authenticate again using MFA/Duo (smartphone, token/fob). Typically, users set their session to remember them for 12 hours. 

WordPress

Timeout session: Undetermined

WordPress also has a specific timeout period. The exact time is undetermined, and they will not divulge what that is. Our best guess is somewhere around 48 hours. It is important to note that we have no influence over this setting. 

WiscWeb servers

Timeout session: Subjective

Every single server in WiscWeb has its own opinion about when you first showed up. You could hit one server and not hit another. Therefore, your "session" is sort of subjective.

Other applications

Timeout session: Subjective

You could have applications that you use in your department that are also affecting your authenticated session. If you navigate to those tools while authenticated in WiscWeb, you could be logged out sooner than expected. Timeout time for these is unknown but could have an affect on your WiscWeb session.

Contact information

It is important to note that WiscWeb has very little control over the timeout settings for the tools that could affect your session. If you have questions about these, the following will provide some guidance on where to direct your questions:

Shibboleth, WiscVPN, MFA/Duo: help@doit.wisc.edu

WordPress: https://wordpress.org/support/

General guidance

As you run into issues with session timeouts, please consider the following:

  1. You should expect to have to re-login/authenticate every day
  2. You should always err on the side of caution and publish/save your content often
  3. We cannot customize timeout settings for individual sites
  4. If you periodically get a 403 error, you may have gotten disconnected from WiscVPN. This is not a session timeout. You will need to reconnect to WiscVPN before you are able to resume editing your site. For more information, please see: WiscWeb - 403 Forbidden Error