The timeout control for HTTP sessions depends on a number of factors, such as:
- The type of ICF service being used (ITS, NWBC, etc.)
- The kernel release of the system
- Whether HTTP security session management is activated in the system or not (transaction SICF_SESSIONS, SAP Note 1322944)
In general, the expected behavior is that after a successful HTTP logon, a user session is created in the ABAP backend. This session is visible in the transaction SM04 and/or SM05, depending on the scenario and the configuration (see SAP Note 1899896). After the timeout period has passed, the session is deleted from the backend. When the user interacts with the browser after the session has been deleted, the possible system responses are:
1. An error message is displayed in the browser (e.g. 400 Session timed out - please log in again)
2. A logon screen is displayed in the browser
3. The application creates a new session in the backend (without notifying the user)
Again, the actual system response depends on the scenario and the configuration.
For the timeout control of ICF services, the below settings are relevant. Out of all the relevant (service specific and system wide) settings, it is always the shortest timeout period that applies.
1. Service specific timeout setting
For each ICF service, the session timeout can be set in the transaction SICF, on the tab Service Data, with the Session Timeout field. This setting is relevant for the timeout of the application sessions, visible in the transaction SM04. The service specific timeout setting has priority over the system wide timeout setting rdisp/plugin_auto_logout / rdisp/gui_auto_logout, if the service specific value is lower than the system wide timeout period. It is not possible to selectively increase the timeout period for specific services. When using the default value 00:00:00, the system wide settings take effect.
2. System wide timeout settings
The system wide timeout settings are specified by the below profile parameters. For details, refer to the documentation of the profile parameters in transaction RZ11.
- http/security_session_timeout - used if HTTP Security Session Management is active, it controls the timeout of security sessions (transaction SM05)
- rdisp/plugin_auto_logout - used for stateful HTTP sessions, it controls the timeout of application sessions (transaction SM04)
- rdisp/gui_auto_logout - relevant for ITS based services, for example WebGUI
- icm/server_port_<xx> - network timeout (TIMEOUT) and processing timeout (PROCTIMEOUT) to be used for a protocol
SAP Note 705013 - Timeout for ICF services based on ITS
SAP Note 1760661 - TH: Work processes terminate with signal 11 in ThPlgTimeout
SAP Note 1899896 - Security Sessions / Application Sessions - and timeouts
SAP KBA 2252413 - SM04: HTTP ITS sessions remain
When several browser tabs are opened (e.g. more than six), the new backend sessions may invalidate the older sessions. The browser tabs belonging to the old sessions will show a timeout error, even though the timeout period has not yet passed.
For this case, the recommended approach is described in the below SAP Notes:
SAP Note 1147394 - Error message "Session timeout" when using Portals (also valid for non-Portal applications)
SAP Note 1427190 - ABAP sessions are displaced for applications in the portal (also valid for non-Portal applications)
SAP Note 2214694 - HTTP session handling in NWBC multi session scenarios