Open Closed

Force users to logout if the user inactive for a period of time #1692

User avatar
0
annguyentps created
  • ABP Framework version: v4.1.2
  • UI type: Angular
  • DB provider: EF Core
  • Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Hi, this is the case that I have encountered: I login to the browser and kept it open while the computer was put to sleep mode and I could still access without logging in the day after. I have set AbsoluteRefreshTokenLifetime=1800 (30 minutes), Is there a way to force logout in that case?

Go to accepted answer
10 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi annguyentps

    Would it still happen if the computer was not sleeping?

    set AccessTokenLifetime and AbsoluteRefreshTokenLifetime to 1 minute and retry.

  • User Avatar
    0
    annguyentps created

    Hi maliming

    Yes, it still happen if the computer was not sleeping. I have a feeling I'll never be logged out if I still open browser. If I close browser and waiting for timeout then reopen the browser, I get the login page. I had set AccessTokenLifetime and AbsoluteRefreshTokenLifetime to 1 minute. I see the refresh token api in the network, one of them fails with invalid_grant (so can not get new token), then a few second some api get error, then I refresh the page (press f5) and I can still access to the system without logout.

    I also tried setting expire time for cookies, but it not work .AddCookie("Cookies", options => { options.ExpireTimeSpan = TimeSpan.FromMinutes(1); options.SlidingExpiration = true; });

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I will check this.

  • User Avatar
    0
    Mehmet created

    Hi @annguyentps

    The problem has already fixed. You should upgrade your solution to the v.4.4.0. Please refer to Upgrading the ABP Framework document.

    2
  • User Avatar
    0
    annguyentps created

    Thanks Mehmet I will upgrade my solution, will let you know the result later.

  • User Avatar
    0
    annguyentps created

    Hi Mehmet After upgrade to the v4.4.0, the login button will be appeared in the navbar when the token expires. But when I click to this button, I can access to the system without login.

    Is there a way for the system to redirect to the login page when the token expires?

  • User Avatar
    0
    Mehmet created

    Hi,

    We are working to redirect the user to the login page when the token expires. We are having some issues with the authorization code flow. We'll let you know when the issue is resolved.

    Thanks!

  • User Avatar
    0
    ServiceBot created
    Support Team Automatic process manager

    This question has been automatically marked as stale because it has not had recent activity.

  • User Avatar
    0
    annguyentps created

    Hi @Mehmet, Do you have any updates for this, or is there a new version that has addressed this?

  • User Avatar
    0
    Mehmet created

    Hi,

    It will probably be resolved in v5.0. Thanks for your understanding.

Assignee
User avatar maliming
Labels
None yet
Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11