Creating a new ticket to share more details as I cannot update the existing ticket - https://support.abp.io/QA/Questions/1352/Identity-server-token
ABP Framework version: v4.3.1 UI type: Angular DB provider: EF Core Tiered (MVC) or Identity Server Separated (Angular): yes
As part of web application assessment, there was an observation on No Session Timeout. The expiration of JWT was set to 365 days. Need to implement a server side approach which expires a user’s session after a predefined interval (15-20 mins) of inactivity. Kindly advise on how to do it with existing ABP code base in our application.
9 Answer(s)
-
0
Hi ABP team - Can you please advise on this issue?
-
0
Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).
If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.
-
0
Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).
If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.
We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.
-
0
Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).
If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.
We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.
I couldn't understand your scenario. If you set
AbsoluteRefreshTokenLifetime
to 60*5, it will absolutely log you out after 5 mins. Keep this time longer and keep your Access and Identity tokens life time shorter so that, if the access token is compromised, it will be refreshed in short amount of time.This is not related with ABP, you can check identity server docs for more information
-
0
Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).
If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.
We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.
I couldn't understand your scenario. If you set
AbsoluteRefreshTokenLifetime
to 60*5, it will absolutely log you out after 5 mins. Keep this time longer and keep your Access and Identity tokens life time shorter so that, if the access token is compromised, it will be refreshed in short amount of time.This is not related with ABP, you can check identity server docs for more information
Hi, Thanks for your suggestion. I understand this is not related to ABP but the Identity server is integrated with ABP and thus reaching out to you for advise. Here is what we did but still not able to fix the problem. Will appreciate if you can do a remote call with us to understand and resolve the issue.
Set AbsoluteRefreshTokenLifetime to 60100 i.e. 100 minutes. Set AccessTokenLifetime to 605 i.e. 5 minutes. Set IdentityTokenLifetime to 60*5 i.e. 5 minutes. User remains active but forcefully gets logout after 5 minutes. There is no call to refresh token api from client application when doing such test. So, does application refreshes token automatically based on above settings or there is something additional we need to do to refresh token?
-
0
Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).
If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.
We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.
I couldn't understand your scenario. If you set
AbsoluteRefreshTokenLifetime
to 60*5, it will absolutely log you out after 5 mins. Keep this time longer and keep your Access and Identity tokens life time shorter so that, if the access token is compromised, it will be refreshed in short amount of time.This is not related with ABP, you can check identity server docs for more information
Hi, Thanks for your suggestion. I understand this is not related to ABP but the Identity server is integrated with ABP and thus reaching out to you for advise. Here is what we did but still not able to fix the problem. Will appreciate if you can do a remote call with us to understand and resolve the issue.
Set AbsoluteRefreshTokenLifetime to 60100 i.e. 100 minutes. Set AccessTokenLifetime to 605 i.e. 5 minutes. Set IdentityTokenLifetime to 60*5 i.e. 5 minutes. User remains active but forcefully gets logout after 5 minutes. There is no call to refresh token api from client application when doing such test. So, does application refreshes token automatically based on above settings or there is something additional we need to do to refresh token?
Hello, This issue is related to SecurityStampValidator, you will have to just add below line in WebModule class in ConfigureServices method. It needs this package Microsoft.AspNetCore.Identity in case gives error for SecurityStampValidatorOptions. This will keep user active for 24 hours/ you can change as per your conveniece.
context.Services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromHours(24));
-
0
Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).
If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.
We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.
I couldn't understand your scenario. If you set
AbsoluteRefreshTokenLifetime
to 60*5, it will absolutely log you out after 5 mins. Keep this time longer and keep your Access and Identity tokens life time shorter so that, if the access token is compromised, it will be refreshed in short amount of time.This is not related with ABP, you can check identity server docs for more information
Hi,
Thanks for your suggestion. I understand this is not related to ABP but the Identity server is integrated with ABP and thus reaching out to you for advise. Here is what we did but still not able to fix the problem. Will appreciate if you can do a remote call with us to understand and resolve the issue.Set AbsoluteRefreshTokenLifetime to 60100 i.e. 100 minutes.
Set AccessTokenLifetime to 605 i.e. 5 minutes.
Set IdentityTokenLifetime to 60*5 i.e. 5 minutes.
User remains active but forcefully gets logout after 5 minutes. There is no call to refresh token api from client application when doing such test. So, does application refreshes token automatically based on above settings or there is something additional we need to do to refresh token?Hello, This issue is related to SecurityStampValidator, you will have to just add below line in WebModule class in ConfigureServices method. It needs this package Microsoft.AspNetCore.Identity in case gives error for SecurityStampValidatorOptions. This will keep user active for 24 hours/ you can change as per your conveniece.
context.Services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromHours(24));
Unfortunately the suggested code changes didn't worked for us. We added the code into Host module class and the user is still logged out forcefully after 5 minutes. Please note we are using .Net + Angular code template (ABP version 4.3.1). Can we have a short remote call to discuss and resolve this issue?
-
0
Can you try to create a new ABP project and test if the same issue occurs on a brand new project?
-
0
This question has been automatically marked as stale because it has not had recent activity.