Introduction

K2 smartforms uses Internet Information Services (IIS) and ASP.NET to manage logon sessions. In terms of ASP.NET, the SmartForms application is not affected by sessions. However, the authentication model may still use headers and cookies to keep track of the authenticated user.

When using Azure Active Directory (AAD), you cannot change the session timeout as it is controlled by the AAD token's ValidTo setting. Specifying the session timeout value on the K2 server has no impact. The default ValidTo setting is 8 hours.

The timeout behavior depends on the authentication configuration in K2 smartforms, as shown below:

Anonymous Access/Connect As Application Pool No timeouts are experienced since all connections are made in the context of the Application Pool Identity user
Windows Authentication No timeouts are experienced as the browser automatically uses NTML or Kerberos to re-authenticate the user
Forms Authentication The user is redirected to the login screen after the session has expired and the current form is lost (standard ASP.NET)
Claims-based Authentication The behavior is controlled by the WIF configuration – usually the user is passively redirected to re-authenticate either using Windows credentials or a Forms based login. The current form may be lost if the re-authentication redirects the user back to the root of the web site. In some cases the user can continue working.

When using Forms Authentication and Claims-based Authentication and the session expires, the user may lose all the information on the Form that they were working on. However, some browsers have the functionality to keep the current state or autocomplete information.

Configuring Session Token and Maximum Token Lifetime Values

You can configure the Session Token and Maximum Token Lifetime values in the STS web.config file to shorten or lengthen the token lifetime.

The SessionTokenLifetime and MaximumTokenLifetime keys control how many seconds the session token remains valid. This is normally set to around 8 hours (28800 seconds).

To change the settings:

  1. Access the web.config files in the following locations:
    • For K2 4.7, or upgrades from K2 4.7:
      Windows Authentication:
       <install drive>:\Program Files (x86)\K2 blackpearl\WebServices\Identity\Sts\Windows\Web.config

      Forms Authentication:
       <install drive>:\Program Files (x86)\K2 blackpearl\WebServices\Identity\Sts\Forms\Web.config
    • For K2 Five or later:
      Windows Authentication:
      "%Program Files%\K2\WebServices\Identity\Sts\Windows\Web.config
      Forms Authentication:
      "%Program Files%\K2\WebServices\Identity\Sts\Forms\Web.config
  2. Change the following values to the required seconds: 

    <add key="SessionTokenLifetime" value="3600" />

    <add key="MaximumTokenLifetime" value="3600" />

This means that the Session Token expires after an hour, which can be helpful when you’re debugging performance issues related to the STS.

Expiring the Browser Session when the Form is Closed

To force people to log in again after they close a form, you must turn off persistent cookies (or in other words, enable session cookies that expire with the closing of the browser). Do this by changing the value for PersistentCookiesOnPassiveRedirects to “0” (false) in the Identity.ClaimRealm table in the K2 database. Keep in mind that this setting applies to all SmartForms on the K2 server, and having multiple forms opened in one browser session may allow them to close and reopen forms without needing to log in again. Contact K2 Support for more information and assistance in making this change.