Open Closed

Question on user session timeout on Blazor Server #7749


User avatar
0
balessi75 created

ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme

Hi We have a javascript implementation that will auto logout a user after a certain period of inactivity in the browser which works great.

We'd like to enhance security by providing a server level timeout. Currently if a logged in user closes the browser tab. The user is perpetually still logged in when navigating back to the app.

Is there a way to configure an ABP Blazor Server solution to auto logout/expire a session after a certain period of inactivity at the server level?

Thanks in advance.


5 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    you can try

    services.ConfigureApplicationCookie(options =>
    {
        options.ExpireTimeSpan = TimeSpan.FromMinutes(10);
        options.SlidingExpiration = true;
    });
    
  • User Avatar
    0
    omer_yel created

    When we manually delete cookies for this question;

    • After deleting a cookie in a monolithic application and refreshing the page with F5, it goes directly to the Login page.
    • However, in an N-Tiered (Auth-BlazorServer-ApiHost) application, after deleting a cookie from the browser and refreshing the page with F5, it goes to the Auth application and returns with a redirect, continuing as logged in.

    What can be done about this?

  • User Avatar
    0
    balessi75 created

    Hi,

    you can try

    services.ConfigureApplicationCookie(options => 
    { 
        options.ExpireTimeSpan = TimeSpan.FromMinutes(10); 
        options.SlidingExpiration = true; 
    }); 
    

    We added this and it had no affect. The user continues to stay logged in after the specified ExpireTimeSpan. During that timespan, no requests were sent to the server.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    It works for me.

    you need to set the Remember me to true; otherwise, the cookie age is session. you can override the login page to set Remember me to true

  • User Avatar
    0
    balessi75 created

    Thanks as always @liangshiwei

    This was very helpful!

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11