Open Closed

Force users to re-login if they are inactive in 30 minutes #957


User avatar
0
nhontran created
  • ABP Framework version: v3.3.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:

Hi, I want to force the users to re-login if they are inactive in 30 minutes, I have tried to set the expiry time for Cookies as below but it does not work:

context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.Authority = configuration["AuthServer:Authority"];
                    options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
                    options.Audience = "TestingApplication";
                })
                .AddCookie("Cookies", options =>
                {
                    options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
                    options.SlidingExpiration = true;
                });

Anyone know how to achieve it? any help would be much appreciated.


11 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Change Cookies options only affect to the Identity server website.

    The angular client use JWT to authentication. @Mehmet Do you have any advice?

  • User Avatar
    1
    Mehmet created

    Hi @nhontran

    You can handle many cases (listening some JavaScript events, sharing user activity data with opened tabs, etc.) to achive this. What I suggest is that use a third-party library like this: https://github.com/rednez/angular-user-idle

    But I did not go into detail with the package. You can examine the package and use it if you wish.

    If you want to handle some cases in your app, you can do this in a service.


    You can use the AuthService which is exported from @abp/ng.core package for logging out. See an example:

    import { AuthService } from '@abp/ng.core';
    
    @Injectable()
    export class MyService {
      constructor(private authService: AuthService){}
    
      logout() {
        this.authService.logout().subscribe();
      }
    }
    
  • User Avatar
    0
    nhontran created

    Hi @Mehmet, Thanks for your response. This is exactly what I have done at the frontend side, I just want to implement it at the backend now.

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    This is exactly what I have done at the frontend side, I just want to implement it at the backend now.

    Backend you mean API? You are using Angular application calling an API which is stateless. Whenever token is expired or invalidated, you will be redirected back to login. Nothing to implement in backend.

    Closing the issue. Feel free to re-open or create a new one if your problem persists.

  • User Avatar
    0
    nhontran created

    Hi @gterdem, sorry for taking too long to reply.

    We already implemented the front-end to trigger logout if user is inactive for 30 mins and set the access token life time = 30 mins as well but it does not work for sometimes, we checked the logs and found that client side managed to call refresh token successfully.

    As per Identity Server documentation, the default refresh token lifetime is 30 days: AbsoluteRefreshTokenLifetime Maximum lifetime of a refresh token in seconds. Defaults to 2592000 seconds / 30 days.

    https://identityserver4.readthedocs.io/en/latest/topics/refresh_tokens.html

    This client setting is not available in UI (Administration -> Identity Server -> Clients)

    Is there any other way to configure it?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi nhontran

    It looks like you don't plan to continue using this refresh token feature?

  • User Avatar
    0
    nhontran created

    Hi @maliming, if user is active in the site, we still need to refresh the token before expiration.

    We just dont want to refresh token if user is inactive for a period of time (30 mins).

  • User Avatar
    0
    alper created
    Support Team Director

    sorry I couldn't read the history but how about writing a setInterval method for 30 mins on the client which makes a request to refresh the token at 29:50:00. if the user has closed the browser than it'll not work and the token will expire in the specified time.

  • User Avatar
    0
    nhontran created

    Hi @alper, I think the issue can be resolved by set the AbsoluteRefreshTokenLifetime to 30 mins instead of default 30 days, is there a way to achieve it?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    You can change AbsoluteRefreshTokenLifetime in database or IdentityServerDataSeedContributor .

    AbsoluteRefreshTokenLifetime : 31536000(default 365 day) => 1800(30 min)

  • User Avatar
    0
    ServiceBot created
    Support Team Automatic process manager

    This question has been automatically marked as stale because it has not had recent activity.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11