When you set the lifetime attribute of
<sessionTokenRequirement lifetime="00:10" />
Does that mean the token will expire in 10 minutes if there is no activity (no POST OR GET,etc) I am wondering if the user makes a post or get does it reset it back to 10 minutes. What I want is for the user to be logged in as long as they are actively using the app which should hit the server every minute or so. If they they stop using the app, I automatically log them out, but what I don't want is if they use the app for 11 minutes their claims have been removed. Could someone point me in the right direction?
Is it like the session timeout which times out if the user remains idle? If not is there something like that? Or am I using it in the wrong way?
Related
I've got an iPhone app where you create an account, and while you're logged in, you can be either active or inactive. To be clear, even when you're inactive, you're still logged in. I want to make it so that if a user is active but hasn't checked the app or used it for 45 minutes, they are automatically made inactive. Is that possible? If so, how would I go about it? I'm not trying to force a log out, but rather change their state from active to inactive. so in firebase, for each user, it has a variable for isActive. I'm trying to make it so that turns from 1 to 0 after a certain amount of idle time.
Thank you!
This can be done by leveraging a Cron Job.
There are two things that will need to happen.
You'll need determine what mechanics indicate a user is active or not. For example, every time the users taps a Search button, that timestamp is written to Firebase. As long as the difference between that time and the current time is less than 45 minutes, take no action.
A cron job to trigger code* that compares a current time stamp to the written time stamp and if greater than 45 minutes, set's the user to inactive. (actually just querying for all users where current time - posted time > 45 minutes, and set them all to inactive)
*code could be integrated with Firebase Cloud Functions, or your app could be observing a node that's set as well.
The app could also trigger this sequence but if it goes offline the active/inactive node would not be set or cleared. However, there is an onDisconnect Firebase function you may want to look into as well
We have a little app we've used to automatically log an employee out of an account if they go afk, and this design pattern works well.
Make a timer variable and make it work. Attach a mousemove event to reset the timer not stopping the timer. If the time elapsed is greater than your desired limit call the signOut method in firebase.
why mousemove?
To notice the inactivity.
Actually I am a web developer most of the time dealing with javascript. I don't know which programming language you are using so use similar method as setTimeOut in javascript.
My main question is how to detect the application termination by the end user when it was in the background (Suspended) to be able to send logout request to the server ?
We already have a timeout interval in the server to kill the session, but assume that the interval is 5 minutes so this means that the session will be alive for 5 minutes after the user terminated the app and anyone can sniff on the data and reuse it.
Notes:
We use HTTPS connection and SSL Certificate Pining.
We also implemented a heartbeat web service to be called by client app every fixed interval to tell the server to keep the session alive for this interval, if this web service didn't call for specific session, the server will kill this session.
Once your app is suspended you don't get any further notice before you are terminated. There is no way to do what you want.
Plus, the user could suspend your app to do something else (like play a game) and then not go back to your app for DAYS.
If you want to log out when the user leaves your app, do it on the willBeSuspended message. Ask for more background time and send a logout right then and there.
Mohamed Amer,
Here is an approach used by Quickblox Server and I feel its pretty much solid though it involves a little overhead.
Once the client application (either iOS android) establishes the session with quickblox server, quickblox server expects the client application to send the presence information to server after a regular interval continuously.
Sending the presense information is pretty much simple. They have written a api which we keep hitting after a interval of 5 mins with session id that we have. They validate the session id and once found valid they will extend the expiration time for the user ascociated with that id for 5 mins more.
What they will do I believe is that,
Approach 1 : they maintain the last hit time and for all the subsequesnt request they check if the request time is within the the time frame of 5 min if yes simply process it. If the request comes after 5 min they will delete the session id for the user and respond saying you have timeout the session.
Approach 2 : Because they provide online and offline info as well they cant simply depend on the incoming request to delete the session id from server so they probably create a background thread which swipes over the db to find the entry with last hit time greater then 5 min and removes it from DB. and declares the user session expired.
Though this involves client apps continously hitting the server and increases the burden on the server for the app like chat application in which presense information is so vital this overhead is still fine i believe.
Hope I have provided you with some idea at least :)
I'll show my question by example.
So, f.e., it's 12:00 (set automatically) now, but user decided to change the current time to 12:10 (it won't be really exact time, but user wants so).
Is there any way to get this 10 minutes in code?
One method is to connect to a time server on your own. Or, if you app is running when it changes, you could keep a timer running and look for discontinuities in time.
Possible duplicate of: How can I locally detect iPhone clock advancement by a user between app runs?
I am trying to change the setup of my iPad app. I would like to set it up in a way so that only a certain section requires authentication. Right now, the app verifies authentication on launch, and that is simply not very user friendly, specially when it comes to information that should be visible without having to authenticate.
My question is more along the lines of: How to check for inactivity on the app? So that after 30 minutes or so I automatically log user off.
Has anyone worked on a similar setup that could point me in the right direction?
For what I have gathered, I can use a notification for when the app goes to the background. Should I set up the timer on that method? Will it be preserved when the app is on background? In which case, once that timer reaches the set time, simply log user off? And set up another notification for when the app will enter foreground within that time frame so that it reset's the timer?
How to find the closing of an application window without ' log out' the session .This is to prevent the user from directly going to the previous session. In such cases, the user session should end and direct the user to the login page.
It's a very common problem with websites when you don't want the user to remain "logged in" although the user has left the site.
There are several ways you can achieve that, but IMHO any 100% reliable.
For example you can call an ajax function when the body onunload event is fired, and that function could remove the current user session.
It's only an idea.
The normal/easiest way to solve this is to set Session Expiration to a rather low value (10-20 minutes).
Alternatively, you could remove a session after only 30 seconds of inactivity, and sending a little ajax request every 5 seconds (which obviously stops when the application window/tab is closed).