Open Closed

No session timeout issue #1458


User avatar
0
Repunjay created

Creating a new ticket to share more details as I cannot update the existing ticket - https://support.abp.io/QA/Questions/1352/Identity-server-token

ABP Framework version: v4.3.1 UI type: Angular DB provider: EF Core Tiered (MVC) or Identity Server Separated (Angular): yes

As part of web application assessment, there was an observation on No Session Timeout. The expiration of JWT was set to 365 days. Need to implement a server side approach which expires a user’s session after a predefined interval (15-20 mins) of inactivity. Kindly advise on how to do it with existing ABP code base in our application.


9 Answer(s)
  • User Avatar
    0
    Repunjay created

    Hi ABP team - Can you please advise on this issue?

  • User Avatar
    0
    gterdem created
    Support Team

    Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).

    If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.

  • User Avatar
    0
    Repunjay created

    Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).

    If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.

    We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.

  • User Avatar
    0
    gterdem created
    Support Team

    Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).

    If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.

    We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.

    I couldn't understand your scenario. If you set AbsoluteRefreshTokenLifetime to 60*5, it will absolutely log you out after 5 mins. Keep this time longer and keep your Access and Identity tokens life time shorter so that, if the access token is compromised, it will be refreshed in short amount of time.

    This is not related with ABP, you can check identity server docs for more information

  • User Avatar
    0
    Repunjay created

    Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).

    If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.

    We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.

    I couldn't understand your scenario. If you set AbsoluteRefreshTokenLifetime to 60*5, it will absolutely log you out after 5 mins. Keep this time longer and keep your Access and Identity tokens life time shorter so that, if the access token is compromised, it will be refreshed in short amount of time.

    This is not related with ABP, you can check identity server docs for more information

    Hi, Thanks for your suggestion. I understand this is not related to ABP but the Identity server is integrated with ABP and thus reaching out to you for advise. Here is what we did but still not able to fix the problem. Will appreciate if you can do a remote call with us to understand and resolve the issue.

    Set AbsoluteRefreshTokenLifetime to 60100 i.e. 100 minutes. Set AccessTokenLifetime to 605 i.e. 5 minutes. Set IdentityTokenLifetime to 60*5 i.e. 5 minutes. User remains active but forcefully gets logout after 5 minutes. There is no call to refresh token api from client application when doing such test. So, does application refreshes token automatically based on above settings or there is something additional we need to do to refresh token?

  • User Avatar
    0
    suraj.kumbhar created

    Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).

    If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.

    We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.

    I couldn't understand your scenario. If you set AbsoluteRefreshTokenLifetime to 60*5, it will absolutely log you out after 5 mins. Keep this time longer and keep your Access and Identity tokens life time shorter so that, if the access token is compromised, it will be refreshed in short amount of time.

    This is not related with ABP, you can check identity server docs for more information

    Hi, Thanks for your suggestion. I understand this is not related to ABP but the Identity server is integrated with ABP and thus reaching out to you for advise. Here is what we did but still not able to fix the problem. Will appreciate if you can do a remote call with us to understand and resolve the issue.

    Set AbsoluteRefreshTokenLifetime to 60100 i.e. 100 minutes. Set AccessTokenLifetime to 605 i.e. 5 minutes. Set IdentityTokenLifetime to 60*5 i.e. 5 minutes. User remains active but forcefully gets logout after 5 minutes. There is no call to refresh token api from client application when doing such test. So, does application refreshes token automatically based on above settings or there is something additional we need to do to refresh token?

    Hello, This issue is related to SecurityStampValidator, you will have to just add below line in WebModule class in ConfigureServices method. It needs this package Microsoft.AspNetCore.Identity in case gives error for SecurityStampValidatorOptions. This will keep user active for 24 hours/ you can change as per your conveniece.

    context.Services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromHours(24));
    
  • User Avatar
    0
    Repunjay created

    Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).

    If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.

    We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.

    I couldn't understand your scenario. If you set AbsoluteRefreshTokenLifetime to 60*5, it will absolutely log you out after 5 mins. Keep this time longer and keep your Access and Identity tokens life time shorter so that, if the access token is compromised, it will be refreshed in short amount of time.

    This is not related with ABP, you can check identity server docs for more information

    Hi,
    Thanks for your suggestion. I understand this is not related to ABP but the Identity server is integrated with ABP and thus reaching out to you for advise. Here is what we did but still not able to fix the problem. Will appreciate if you can do a remote call with us to understand and resolve the issue.

    Set AbsoluteRefreshTokenLifetime to 60100 i.e. 100 minutes.
    Set AccessTokenLifetime to 60
    5 i.e. 5 minutes.
    Set IdentityTokenLifetime to 60*5 i.e. 5 minutes.
    User remains active but forcefully gets logout after 5 minutes. There is no call to refresh token api from client application when doing such test. So, does application refreshes token automatically based on above settings or there is something additional we need to do to refresh token?

    Hello, This issue is related to SecurityStampValidator, you will have to just add below line in WebModule class in ConfigureServices method. It needs this package Microsoft.AspNetCore.Identity in case gives error for SecurityStampValidatorOptions. This will keep user active for 24 hours/ you can change as per your conveniece.

    context.Services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromHours(24));

    Unfortunately the suggested code changes didn't worked for us. We added the code into Host module class and the user is still logged out forcefully after 5 minutes. Please note we are using .Net + Angular code template (ABP version 4.3.1). Can we have a short remote call to discuss and resolve this issue?

  • User Avatar
    0
    alper created
    Support Team

    Can you try to create a new ABP project and test if the same issue occurs on a brand new project?

  • User Avatar
    0
    ServiceBot created
    Support Team

    This question has been automatically marked as stale because it has not had recent activity.

Made with ❤️ on ABP v9.1.0-rc.1. Updated on January 17, 2025, 14:13