Timeout behavior and settings
This topic describes timeout settings in Optimizely Configured Commerce.
To maintain compliance with PA-DSS, Optimizely Configured Commerce controls the timeout periods for the website and Admin Console separately. These settings are built into the platform and are not configurable through the Admin Console.
Website timeout settings
By default, the website is set to timeout after 20 minutes of inactivity.
PA-DSS requires a timeout of 20 minutes or less, so if the client accepts credit card transactions, this should not be overridden.
Admin console timeout settings
By default, the user will receive a notification that they will be logged out after 12 minutes of inactivity. After 15 minutes of inactivity the Admin Console will timeout. It will then redirect the user to the login screen and once they sign in, it will return them to where they left off.
Because some clients will not be taking credit cards as a form of payment and will instead rely on purchase orders, being able to adjust the time settings may be necessary. However, it is important to understand that changing timeout settings could possibly cause a site or environment to fall out of compliance with security standards such as PA-DSS.
The timeout settings for the website can be found in the SecurityOptions.AuthenticationCookieLifetime in the Startup.Auth.cs class.
And for the Admin Console, the settings for the startInactivityTimer() function are located in the admin-session-service.ts file.
Updated 4 months ago