Session Timeout & Incorrect Password Account Locking

Owned by Checkmarx Bot (Unlicensed)
Last updated: Jan 24, 2022 by Cathy Allison
2 min read

Session Timeout and Incorrect Password Account Locking

VetView Session Timeout


By default, VetView will warn users after 25 minutes of inactivity and then log them 5 minutes later (after a total of 30 minutes of inactivity).

After a predefined time period of inactivity, VetView can display a popup window asking the user if he/she wishes to stay logged in.

Session timeout is set using zk.xml config file in VetView/WEB-INF folder. Shown below is a sample of this tile with session time set to 1800 seconds (30 minutes).

This file should live at:  C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\VetView\WEB-INF\zk.xml

<session-config>
        <session-timeout>1800</session-timeout>
        <timeout-message>Session timeout. Please relogin.</timeout-message>
    </session-config>


The system will warn the user about the upcoming session invalidation when the timeout is 5 minutes away from occuring (After 25 mins of inactivity, in the above example). The message stays on for 5 mins before the user is automatically logged out from the system. Inside this 5 minutes, if the user decides to stay logged in and clicks the  'OK' button on the pop up window, the session timer is reset. If the user works in multiple tabs, the warning message should be displayed on all of them.

Exceptions to Session Timeout

Administrators can exempt users from this log-out period by checking the Session Exempt check-box on the User/Employee Management Screen for that user.  This allows are user to stay logged in for an unlimited amount of time with no activity.


There are sometimes other constraints on session timeout which are not set by VetView, such as timeouts in the connection to the database, or VPN restrictions set by your organization. 

DBAs may contact VetView to ensure that the Oracle or Postgres database has been configured with the optimal settings.

Tomcat Session Timeout

This is an optional secondary method of ensuring that inactive users are fully timed out of the system.  This also frees up a session if you have a large number of users. 

The Tomcat session timeout is in the following web.xml file in the session-config section:
C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\web.xml

Tomcat's timeout file is measured in minutes.  The example below is set to auto terminate the session after 30 minutes of no activity. 

   <session-config>
        <session-timeout>30</session-timeout>
    </session-config>


Incorrect Password Account-Locking

VetView locks the account of a user if someone gets the password incorrect 5 times in a 10 minute period.  

This password lock can be reset under the User/Employee Management Screen.

VetView Wiki

Most recent releases of VetView:  Version 4.1.3 Hotfix (Released 2/16/2024)