While connecting to any of the web interface pages of EJBCA, an HTTP(S) session is initialized. By default, this session lasts for 30 minutes and then terminates unless there has been any page activity during that period of time. Since authentication to the web interfaces is performed using a client certificate, a terminated session will be re-initialized (with a new sessionId) as soon as the browser is refreshed. The browser holds the client certificate, hence there's no natural way of completely terminating the session and force re-authentication from the server side (logout) unless the browser is restarted after session termination.
How sessions behave can however be configured to a certain extent by administrators, see Configuring session timeout.
Accessing the Administration Web requires a client certificate with sufficient access rights. Each new session will create an audit log entry, stating details regarding the "Log-in". Terminated and timed-out sessions will also be audit logged (as of the EJBCA 7.0.0 release). Note that this is not necessarily the exact point in time when the browser is closed, rather when the session ends.
Configuring session timeout
The session timeout, i.e. the allowed period of inactivity before the session is terminated is configured in Admin Web > System Configuration > Basic Configuration. To set the session timeout, select Enable Session Timeout and then specify the timeout (in minutes). Note that this isn't required to enable the default session timeout of 30 minutes. Rather overriding it by a longer or shorted allowed period of inactivity before the session terminates. Enabling the Enable Session Timeout setting will redirect the user to a "Logout page" once the session ends. This configuration applies to Admin Web only.
The side menu in administrator web contains a "Logout" button. Clicking this will immediately terminate the current session and redirect the user to the "Logout Page" in RA-web on public protocol (default http://[...] port 8080) in order to prevent a new session from being initialized.
As mentioned above, as the browser holds the certificate, re-authentication will not take place while navigating back to the Admin Web. To force re-authentication (from the client side) do one of the following:
Close the browser after logout.
Run on an Internet Explorer 6+ browser (which allows clearing authentication cache).
Logout operation using IE6+ browsers will clear authentication cache of all current browser sessions, not only EJBCA Admin Web.
Sessions in the RA Web behaves slightly different from the Admin Web. The default timeout works the same way. However, there's a session keep-alive service which lowers the session timeout and actively re-validates the session in order to keep the RA user logged in, while being able to detect when the browser is closed and terminate the session. Initialized and ended sessions of the RA Web will be written to the server log, though not audit logged.