I am posting this here after an unsatisfactory response from a support rep who didn't even read my support case... The support rep said secure zone sessions expire after 60 minutes of inactivity and closed the case when there is an obvious issue with session handling.
Here's the exact text of my case:
I've been noticing this for awhile, but cannot seem to pinpoint what is happening. I see it on different BC hosted sites. The log in session to a secure zone is randomly timing out. I do know that the cookies are all set to expire when the browser is closed; however, the browser is never closed and the login session still times out. Seems to be server-driven than cookie-driven.
I just ran this test today and it proved the issue and randomness:
1. Logged into secure zone to a page that is protected by that secure zone.
2. Set my timer for 30 min.
3. After timer expired, I refreshed the page. It immediately kicked me out to the error page that I do not have access to view that page.
4. I logged back in to the same secure zone page.
5. Reset my timer to 30 min.
6. After the timer expired, I refreshed the same page and this time, the page refreshed without a problem and I could continue to navigate to other secure zone pages.
The time frame doesn't matter. I just used 30 minutes, but I was just on remote desktop with a client and we were not on the phone for even 10 minutes and his session randomly timed out even though he never closed the browser and he was actively clicking around to different pages in the secure zone. Personally, when I'm developing and testing it could not even be 5 minutes since my last action in the secure zone and it kicks me out to the error page and I have to log in again. And all I do is refresh the same page I was on to test a change to the code.
We do not use the secure domain and everyone is logged into the unsecure domain. All forms and links use relative links which keep it within the same domain.
It isn't just this site. I have noticed it on other BC sites where someone logs in and by the time they check out their session expired and they check out with a new customer record (I know this because of the email address. The check out form fills in the email address and hides the email address field if they are logged in. But they check out with a different email address which generates a new customer record.)
The browser also doesn't matter. I use Chrome and it randomly expires and I've seen it occur in Firefox, Safari and IE.
Support just ignored the issue and closed the ticket.
Can anyone else confirm this issue?
The secure zone cookie is valid for 1 hour. It will expire after one hour, no matter if you're active or not. That is unless you tick remember me checkbox, in which case the system will use a permanent cookie. Where the logout may occur is if you use the same username in different browsers or different machines at the same time. Please make sure that this is not an issue.