Developer forum

Forum » CMS - Standard features » Force logout after 20min

Force logout after 20min

E-mail notifications
Nuno Aguiar
Reply
Posted on 13/02/2017 21:16:05

Hi,

 

We have a customer that wants to force logout after 20min / session expires. Is there any setting in DW where I can do this rather than using a JS Timeout and trigger a redirect to extranetlogoff.aspx?

 

Best Regards,

Nuno Aguiar


Replies

 
Morten Bengtson Dynamicweb Employee
Morten Bengtson
Posted on 14/02/2017 11:19:32
Reply

Hi Nuno,

The session timeout is controlled by the web server. There is a timeout setting on the application pool and the default is 20 minutes. The user will automatically be logged off after 20 minutes of inactivity.

However, when the session expires then the user will still see the same content as when the user was logged in - until the page is refreshed. If you want the page to be reloaded or to make a redirect when the session expires then you need to handle that yourself, e.g. by using a javascript timeout and/or making ajax requests to the server and check if the current user is still logged in.

BR Morten

 
Nuno Aguiar
Posted on 20/02/2017 12:33:24
Reply

Hi Morten,

 

That's what I figured but after 20 minutes, I clicked on another page and I was automatically logged in again (invisible to the user). I tracked it down to one of these 2 cookies:

  • DW_Extranet

  • DW_ExtranetSessionCookie

 

By deleting them both, the user is logged out. What struck me as odd, is that it looks like DW is considering the AL parameter (assuming this is AutoLogin) to default to True. Can you confirm this?

 

Best Regards,

Nuno Aguiar

AutoLogin.JPG
 
Morten Bengtson Dynamicweb Employee
Morten Bengtson
Posted on 21/02/2017 08:26:36
Reply

Well thats weird. The AL parameter defaults to false, but It might be related to how impersonation works.

We'll try to reproduce this behaviour and get back to you.

BR Morten

 
Nuno Aguiar
Posted on 21/02/2017 10:27:25
Reply

Perfect, thank you

 
Nuno Aguiar
Posted on 30/03/2017 18:20:31
Reply

Hi Morten,

 

Any news on this?

 

Best Regards,

Nuno Aguiar

 
Nicolai Pedersen
Posted on 30/03/2017 19:39:43
Reply

Hi Nuno

If you do not close the browser, session will not die (it will be re-instantiated when server session times out).

BR Nicolai

 
Nuno Aguiar
Posted on 30/03/2017 20:52:20
Reply

Hi Nicolai,

 

Yes, I know. For this customer in particular he wants the session to expire after 20min even if he does not close the browser, so we'll need to deactivate those cookies somehow.

 

I looked at the Cookie Manager configuration and could not do it from there. Despite it saying Cookie deactivation, I am unable to delete the 2 cookies I tracked down (see above) that give me the proper behaviour the customer wants. I tried to add a "test" cookie and delete it afterwards, but once it was there, I could not remove it like the documentations says

http://doc.dynamicweb.com/documentation-8/platform/advanced-settings/web-http#2155

 

Could this be a bug? Am I doing the right thing to ensure the session is experired if the user stands still for 20+ minutes?

 

Best Regards,

Nuno Aguiar

 

 
Nicolai Pedersen
Posted on 31/03/2017 08:38:09
Reply

If you want a precise 20 min timeout, you need to do something specifically anyways.

You cannot use the cookie manager for this. You have to go custom if it is that important...

BR Nicolai

 
Nuno Aguiar
Posted on 03/04/2017 12:33:03
Reply

Hi Nicolai,

 

Ok, we'll just update DW's cookie expiration timestamp to get the desired result.

 

Thank you,

Nuno

 

You must be logged in to post in the forum