Force users to logout if the user inactive for a period of time #1692 | Support

annguyentps created 3 years ago

ABP Framework version: v4.1.2
UI type: Angular
DB provider: EF Core
Identity Server Separated (Angular): yes
Exception message and stack trace:
Steps to reproduce the issue:"

Hi, this is the case that I have encountered: I login to the browser and kept it open while the computer was put to sleep mode and I could still access without logging in the day after. I have set AbsoluteRefreshTokenLifetime=1800 (30 minutes), Is there a way to force logout in that case?

10 Answer(s)

0

maliming created 3 years ago
Support Team Fullstack Developer

hi annguyentps

Would it still happen if the computer was not sleeping?

set AccessTokenLifetime and AbsoluteRefreshTokenLifetime to 1 minute and retry.
0

annguyentps created 3 years ago

Hi maliming

Yes, it still happen if the computer was not sleeping. I have a feeling I'll never be logged out if I still open browser. If I close browser and waiting for timeout then reopen the browser, I get the login page. I had set AccessTokenLifetime and AbsoluteRefreshTokenLifetime to 1 minute. I see the refresh token api in the network, one of them fails with invalid_grant (so can not get new token), then a few second some api get error, then I refresh the page (press f5) and I can still access to the system without logout.

I also tried setting expire time for cookies, but it not work .AddCookie("Cookies", options => { options.ExpireTimeSpan = TimeSpan.FromMinutes(1); options.SlidingExpiration = true; });
0

maliming created 3 years ago
Support Team Fullstack Developer

hi

I will check this.
0

Mehmet created 3 years ago

Hi @annguyentps

The problem has already fixed. You should upgrade your solution to the v.4.4.0. Please refer to Upgrading the ABP Framework document.

2
0

annguyentps created 3 years ago

Thanks Mehmet I will upgrade my solution, will let you know the result later.
0

annguyentps created 3 years ago

Hi Mehmet After upgrade to the v4.4.0, the login button will be appeared in the navbar when the token expires. But when I click to this button, I can access to the system without login.

Is there a way for the system to redirect to the login page when the token expires?
0

Mehmet created 3 years ago

Hi,

We are working to redirect the user to the login page when the token expires. We are having some issues with the authorization code flow. We'll let you know when the issue is resolved.

Thanks!
0

ServiceBot created 3 years ago
Support Team Automatic process manager

This question has been automatically marked as stale because it has not had recent activity.
0

annguyentps created 3 years ago

Hi @Mehmet, Do you have any updates for this, or is there a new version that has addressed this?
0

Mehmet created 3 years ago

Hi,

It will probably be resolved in v5.0. Thanks for your understanding.

Have an answer to this question? Log in and write your answer.