Session

Specify the delimiter for parsing compound session ids.

This addresses an issue with Weblogic and all application servers where the application server appends a unique JVM code to the session id. See http://issues.liferay.com/browse/LPS-18587.

Set a blank delimiter for the portal to attempt to detect a delimiter based on the application server.

session.id.delimiter=
session.id.weblogic.delimiter=!

Specify the number of minutes before a session expires. This value is always overridden by the value set in web.xml.

session.timeout=30

Specify the number of minutes before a warning is sent to the user informing the user of the session expiration. Specify 0 to disable any warnings.

session.timeout.warning=1

Set the auto-extend mode to true to avoid having to ask the user whether to extend the session or not. Instead it will be automatically extended. The purpose of this mode is to keep the session open as long as the user browser is open and with a portal page loaded. It is recommended to use this setting along with a smaller session.timeout, such as 5 minutes for better performance.

session.timeout.auto.extend=false

Set this to true if the user is redirected to the default page when the session expires.

session.timeout.redirect.on.expire=false

Portlets that have been configured to use private session attributes in liferay-portlet.xml may still want to share some session attributes. This property allows you to configure which session attributes will be shared.

Set a comma delimited list of attribute names that will be shared when the attribute name starts with one of the specified attribute names. For example, if you set the value to hello_,world_, then all attribute names that start with hello_ or world_ will be shared.

Note that this property is used to specify the sharing of session attributes from the portal to the portlet. This is not used to specify session sharing between portlet WARs or from the portlet to the portal.

session.shared.attributes=COMPANY_,LIFERAY_SHARED_,org.apache.struts.action.LOCALE,PORTLET_RENDER_PARAMETERS_,PUBLIC_RENDER_PARAMETERS_POOL_,USER_

Explicitly exclude attributes that are shared from the portal to portlets.

session.shared.attributes.excludes=USER_PASSWORD

Set this to true to store the user's password in the session.

session.store.password=false

Set this to false to disable all persistent cookies. Features like automatically logging in will not work.

session.enable.persistent.cookies=true

Set this to true to enable sessions when cookies are disabled. See http://issues.liferay.com/browse/LEP-4787. This behavior is configurable because enabling it can break certain setups.

session.enable.url.with.session.id=true

The login process sets several cookies if persistent cookies are enabled. Set this property to set the domain of those cookies.

Example:

session.cookie.domain=

Set this to true to invalidate the session when a user logs into the portal. This helps prevents phishing. Set this to false if you need the guest user and the authenticated user to have the same session.

Set this to false if the property company.security.auth.requires.https is set to true and you want to maintain the same credentials across HTTP and HTTPS sessions.

session.enable.phishing.protection=true

Set a comma delimited list of attribute names that will be copied to the new session when the property session.enable.phishing.protection is set to true.

session.phishing.protected.attributes=HTTPS_INITIAL,LAST_PATH

Set this to true to test whether users have cookie support before allowing them to sign in. This test will always fail if tck.url is set to true because that property disables session cookies.

session.test.cookie.support=true

Set this to true to allow com.liferay.portal.kernel.servlet.SerializableSessionAttributeListener to test if an added session variable is serializable. Unserializable values stored into the session will cause a session to not replicate if session replication was enabled by the application server.

session.verify.serializable.attribute=true

Set this to true to disable sessions. Doing this will use cookies to remember the user across requests. This is useful if you want to scale very large sites where the user may be sent to a different server for each request. The drawback to this approach is that you must not rely on the API for sessions provided by the servlet and portlet specs.

This feature is only available for Tomcat and requires that you set Tomcat's Manager class to com.liferay.support.tomcat.session.SessionLessManagerBase.

session.disabled=false

Input a list of comma delimited class names that extend com.liferay.portal.struts.SessionAction. These classes will run at the specified event.

Servlet session create event

servlet.session.create.events=com.liferay.portal.events.SessionCreateAction

Servlet session destroy event

servlet.session.destroy.events=com.liferay.portal.events.SessionDestroyAction,com.liferay.portal.events.ChannelSessionDestroyAction

Set this to true to track user clicks in memory for the duration of a user's session. Setting this to true allows you to view all live sessions in the Admin portlet.

session.tracker.memory.enabled=true

Set this to true to track user clicks in the database after a user's session is invalidated. Setting this to true allows you to generate usage reports from the database. Use this cautiously because this will store a lot of usage data.

session.tracker.persistence.enabled=false

Set this to true to convert the tracked paths to friendly URLs.

session.tracker.friendly.paths.enabled=false

Enter a list of comma delimited paths that should not be tracked.

session.tracker.ignore.paths=\
    /portal/render_portlet,\
    \
    /document_library/get_file