One of our keenest users at a customer site was getting very frustrated because they kept loosing edits to documents late on a morning.
We checked our session time outs and our “Keep Alive” custom control but everything looked fine.

Eventually I realised it was my understanding of the LTPA Token Expiry setting,

Image:Users losing authenticated access to XPage Apps when using SSO / LTPA Tokens [solved]

With Xpage Apps replacing Notes Apps for business applications we have found that users are actively using applications for much longer periods of time.
We have also been using Mark Leusink’s excellent OpenNTF Auto Login to allow users to access these apps more easily ( we are looking at SPNEGO too ).

To use the auto login application we had to implement Multiple Servers SSO and LTPA tokens.
The default “Token Expiration” is 30 minutes and Marks documentation suggests 120 minutes.

What I hadn’t understood was that this expiration time is never updated. You WILL LOOSE AUTHENTICATION at that cut off point.

So if a user logs in at 09:00 and the expiration is set to 30 minutes then they will loose access to the XPage application at 9:30 – even if they have been busy interacting with the server just moments before.

It took a while to figure out what was going on and having discussed it with other developers I am not alone in misunderstanding this. Setting the token expiration to 8 + hours does not seem to be uncommon.
I understand it is a misunderstanding on my part but with a default of 30 minutes and the role of browser apps changing this must be catching out lots of other people.

Some useful links in resolving the issue :

Per Henrik Lausten’s response to a previous Stack Overflow query – http://stackoverflow.com/questions/13286756/lotus-domino-server-with-kerberos-authentication-and-xpages/13287124#13287124

The IBM help documentation ( via Mark Leusink ) – http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_CREATING_THE_WEB_SSO_DOCUMENT_4695_STEPS.html

It is useful to note that the tokens are deleted when the browser is closed so not many will last for 8 + hours.