Nexus Repository 2 HTTP Session Management

Visit my.sonatype.com for documentation on Nexus Repository version 2.

  • HTTP sessions in Nexus Repository 2 are only relevant when a user is viewing the UI.
  • HTTP session cookies are required to persist the session in the client browser.
  • Reliably expiring the HTTP sessions is only possible in Nexus 2.7.1 and greater.

The Nexus Repository 2 UI will automatically ping the `nexus/service/local/status?perms` resource URL every 15 minutes, as long as the browser is open viewing the UI.

The 15-minute ping value is hardcoded and cannot be changed.

By default, HTTP sessions on the backend expire after 30 minutes of inactivity.

Every minute, the Nexus Repository 2 backend will delete any HTTP sessions it has cached that are older than 30 minutes.

Explicitly setting a session timeout value does not force re-authentication every n milliseconds, it will only keep the backend session alive for up to n milliseconds after the last related HTTP request.

We have an article with more details about the Nexus session cookie name.

Disabling the Automatic UI Session Ping

These steps only apply in Nexus Repository 2.7.1 and greater. Earlier versions are not supported.

  1. Edit conf/nexus.properties. Add on an empty line:

    nexus.ui.keepAlive=false
    
  2. Restart Nexus Repository 2

After these changes, any new browser session will no longer ping the backend to keep the HTTP session alive. HTTP sessions will expire only after 30 minutes of inactivity.

Changing the HTTP Session Timeout Value

Disable the UI ping if you need to distinguish between idle UI sessions and actual user activity.

These steps only apply to Nexus Repository 2.7.1 and greater.

  1. Edit conf/nexus.properties. Add on an empty line:

    shiro.globalSessionTimeout=300000

    The timeout is configured in milliseconds, so the above will give you a 5-minute timeout.

  2. Restart Nexus Repository 2

Have more questions? Submit a request

0 Comments

Article is closed for comments.