Login and Session Configuration - Documentation topics on: backend login,security,.

Login and Session Configuration

The login process and user session behavior in dotCMS may be modified to modify security and change dotCMS behavior for user logins and sessions.

Login Process Configuration

The following properties may be changed by editing the Authorization section of the portal.properties file (/dotserver/tomcat-X.x/webapps/ROOT/WEB-INF/classes/portal.properties). Note: it is strongly recommended that all changes to the portal.properties file be made through the dotCMS ROOT folder plugin.

Repeated Login Failures

The following three properties control how dotCMS handles repeated user login failures:


By default, dotCMS uses the Liferay authorization classes]() to handle failed logings, but you may override this by changing the auth.failure and auth.max.failures properties.

By default, users will be locked out of the system (requiring Administrators to reset their account) after 5 consecutive failed logins. To change this, set the auth.max.failures.limit property to the desired number of failed logins before user lockout.

Simultaneous Logins

dotCMS can detect if a user account attempts to log into the dotCMS backend more than once at the same time. By default, dotCMS allows the same user account to login simultaneously, but you may prevent simultaneous logins by changing the auth.simultaneous.logins property to false.



  • If you disable simultaneous logins, all of your backend users should have unique user accounts.
    • Otherwise, if you have multiple users sharing the same login account, only one of those users will be able to login at a time.

Users' Starting Page

By default, when users log in they are redirected to the last page they were viewing before their last logout. You can change this behavior, instead automatically redirecting users to the Workflow Tasks page in the Home tab by setting the auth.forward.by.last.path property to false.


Hide Forgot Password Link

By default, dotCMS displays a “Forgot Password” link that users can click to request support for recovering their password. You may disable this feature by changing the password.forgot.show property to false.



The auto.login.hooks property specifies the class used to handle automatic logins. You may change this property to override the default value with a different class.


User Session Configuration

The following properties can be set to change how dotCMS handles user sessions.

Session Expiration

The session timeout specifies the number of minutes before an inactive user session expires and is automatically logged out. The default value is 30 minutes.


  • Although there is a session.timeout property in the portal.properties file, this value is always overridden by the value set in the web.xml file.
    • Therefore, you should always set the session timeout value via the web.xml file ().
  • It is strongly recommended that all changes to the web.xml file be made through a ROOT folder plugin.

Session Expiration Warning

The session.timout.warning property specifies the number of minutes before a warning is sent to an inactive user session about impending session expiration. This property may be changed by editing the Session section of the portal.properties file (/dotserver/tomcat-X.x/webapps/ROOT/WEB-INF/classes/portal.properties). Note: It is strongly recommended that all changes to the portal.properties file be made through a ROOT folder plugin.


  • Set this value to 0 to disable any warnings (this is the default value).
  • Set this value to a value less than the Session Expiration timeout to give users a warning before their session expires.
    • For example, if the Session Expiration timeout is set to 30, if you set session.timout.warning to 25 then users will be given a session expiration warning 5 minutes before being automatically logged off.