My requirement is, I want to logout the user after 3 minutes of inactivity whether the app is in background or foreground.
In worklight.properties,
mfp.session.independent=false
mfp.attrStore.type=HttpSession
serverSessionTimeout=3
In main.js, for the session timeout when the app is in foreground, I have set
WL.Client.setHeartBeatInterval(-1);
Now, the application perfectly logging out, but once the app is logged out i want to show the user that session is timed out.
Is there any method available in Mobilefirst which will be triggered on session time out?
There is no built-in feature to handle this. You need to write custom logic. For example, have some flag stored in the localstorage of the application and store in it what was the last way the user logged in, due to actively tapping the logout button, and if not... it means it was due to a session timeout.
Lets say, create a variable called activelyLoggedOut. By default false.
The user logs in...
Some time has passed... a request is made. The session expired. When the challenge is received then in the challenge handler you check for the value of activelyLoggedOut, if it's false you know that it's because of session expiration - output the relevant message.
or, the user taps "logout". Before logging out, change the value to "true",
Related
I created a public app in Oracle Apex 20.1
I set session management like that --> session management
Application has no authentication and every page is public.
Unfortnently in the application logs I found many erros with Your session has expired message. It occurs multiple times in exactly same time. In user column there is a null value instead of nobody.
Logs from application
I would appreciate any advice how to fix my app
This is expected behaviour, there is nothing wrong with your application. Every page rendering in apex is a session - that is also true for public pages. The user is set to "nobody" indicating that the session is not authenticated. When a user leaves his browser open, eventually the session will time out.
You can increase the session idle time in Shared Components > Security attributes, but sessions will still timeout when they're idle for longer than this value.
The entries you're seeing in the application log seem to be coming from an ajax request, not from a page rendering action. This is hard to diagnose with no info about your application. I'm assuming you have a dynamic action or some javascript code with a timer to refresh the page or a page region. Once the session expires, those ajax requests start erroring out. What you could do is figure out what component/process is throwing the error message and put some logic in it so it only fires if the session is valid (using APEX_CUSTOM_AUTH.IS_SESSION_VALID)
After loggin in OneDrive through a web application as explained here (http://msdn.microsoft.com/en-us/library/dn659751.aspx), I can see that a session (WL.getSession()) is obtained correctly. However, if I make a refresh on the page, it is getting lost. I guess this is due to some cookies management. Is it possible to have the session not cleared at refresh?
Thanks,
Stanislav
Typically, you should call WL.login or otherwise check login status first (see WL.getloginStatus). These will return a session object if the user is logged in and has consented, so on refresh your session object should not be null unless they have logged out and you need to sign them in again. You may be "losing" the session depending on when you are calling WL.getSession()
Check out the interactive SDK sample on signing users in
I can redirect a user to home page upon session logout.. this was very simple. However, if an user had logged into the app and had the page open, even on session time out, he is able to perform all the functions(this is bad).
The redirect does not happen until the page is refreshed, or submitted to the server... there are some update functions that could be done by the user even if he is not currently logged in... I have done a lot of research but unable to fix this solution. I also found this thread but it seems to have no proper answer:
Spring Security 3.1 - Automatically redirect to login page when session-timeout occurs
For example, most of the banking sites log you out after a time out.. they do not wait until you come back and then submit a request before you are redirected to home page.
HTTP is stateless. To achieve some form of state the server can maintain a session for each user by giving them a session id on their first request. The user would have to resend that session id on each future request to identify that the other requests happen within the same session.
Because the session is maintained by the server, there is no way to notify the client that the session has timed out.
Instead, if the user makes a new request when the session is timed out, their session ID is no longer good and therefore you can take a particular action like redirect them to login page.
Assuming nothing works out. You may want to consider below mentioned approches:
Approach 1:
Create a cookie on browser and have encrypted timestamp in it that will contain last visited/request timestamp from browser, for each request first get get this cookie value and compare with the pre-defined session out time, if session-out time reached then redirect user to error page else serve the request. On logout delete the cookie.
Why encrypted value for timestamp: if somehow user gets to know about cookie used for session timeout then (s)he can change this value in browser and keep on sending this request.
Approach 2:
You can also achieve this by making an entry in your database for every logged-in user and updating timestamp in this database for each request. For each incoming request get this timestamp from database and compare it with pre-defined value for timeout and handle accordingly. On logout delete the entry.
In both the approaches explicitly perform response.redirect("errorPageUrl");
I am new to lift and trying to write a simple login application. When I leave my login page for some time, and I enter username and password it doesn't login instead it perform session expire behavior.
I checked the log and found that whenever I got INFO - Session navoo0xdu1ia1vi8m1c0cnl3w expired log message, the above behavior happens.
I am not able to understand why request is using the existing session, even if it's already expired. Please guide me where can I found documentation/example/tutorial to understand this behavior and how to implement simple session based login functionality.
Any help will be appreciated since this problem is bottleneck to me. I googled a lot but couldn't find anything useful.
If your session is expiring then it is because of one of two things:
1) The value set in LiftRules.sessionInactivityTimeout
or
2) The value set for session expiry within your container session.
The former is actually set to nothing by default, which means the latter will override it. Be aware however that provided you are interacting with Lift and have not disabled the heartbeat pulse then sessions do not expire. If you watch the AJAX traffic you will notice a page heartbeat used for function GC which keeps the page bound functions alive.
How do websites generally log users out and send them to the log in screen automatically when a user's session expires? Is this done through ajax or running async handlers? Can you give me a bit of an explanation.
Banks and such use a client-side timeout via javascript, or something similar. Really, though, the server handles the actual session, so if you disabled the client-side logic it would act as if you were attempting to make transactions while logged out.
Use a cookie as well as a session.
Cookie must be set when a session is
started.
If the cookie is present but the
session is gone, redirect to the
login screen.
If there is no session and no cookie
do nothing
(pardon me if you can't do that because I never used ASP and basing my answer on my PHP knowledge)
Typically, you set an expiration timestamp on your session ID cookie. When the cookie fails to be sent, the client is logged off (no given session ID).
This method is often combined with JavaScript and another timestamp token. When the timers start running down, a notification is sent that allows the user to "refresh" their session... essentially, making a request before the session timestamp expires.
The "refresh" request could be anything, even something as simple as an image load.
If you are using Tomcat you can use its built in <security-constraint> mechanism within your web.xml definition. All of the timing, login screen, and page redirects are handled by Tomcat with little effort on your part other than definitions.
Oh, IIS... nevermind.