By: Jean Paul Ybanez user 12 Sep 2018 at 2:02 a.m. CDT

10 Responses
Jean Paul Ybanez gravatar
Hi Gluu Team, I have 2 objectives to try out with Gluu's SSO and Web Application. First objective is to force user to log out if user is in idle or no activity within 4 hours. So, in the web application if it will reach 4 hours with no activity, it will then redirect to Gluu's login page. Second objective is to force user to log out if the browser is close. So the next time the user access the web application it will redirect to Gluu's login page. How can achieve the objectives mention above. Any inputs are highly appreciated. Thanks and Good day.

By Chris Blanton staff 12 Sep 2018 at 2:49 p.m. CDT

Chris Blanton gravatar
> First objective is to force user to log out if user is in idle or no activity within 4 hours. So, in the web application if it will reach 4 hours with no activity, it will then redirect to Gluu's login page. This would have to be handled application side where an inactive session time is tracked and compared with the last activity time. From here the application can delete the users session, which would force them to re-auth and additionally end the users session at the OP using a [front channel logout](https://openid.net/specs/openid-connect-session-1_0.html#RPLogout), if you want them to be logged out globally. > Second objective is to force user to log out if the browser is close. So the next time the user access the web application it will redirect to Gluu's login page. This can be achieved by disabling `sessionIdEnabled` in `Configuration` -> `JSON Configuration` -> `oxAuth Configuration`. Whenever the browser is closed, the session cookie should be deleted and they'll be prompted again to login through oxAuth.

By Jean Paul Ybanez user 12 Sep 2018 at 9:18 p.m. CDT

Jean Paul Ybanez gravatar
Hi Chris, Thanks for the reply. Regarding the First objective, I see, so this is handled in the application side. I will try this out. Regarding the Second objective, since there is an attribute to be configured. Does this have any after effects if sessionIdEnabled is disabled? Can you provide any info about sessionIdEnabled, its pros and cons? Thanks and Have a Good day.

By Jean Paul Ybanez user 14 Sep 2018 at 4:30 a.m. CDT

Jean Paul Ybanez gravatar
Hi Chris, I've tried what you suggested about disabling the sessionIdEnabled but it does not work according to the second objective. I've tried it in IE11 and it needs to login twice. First with the OxAuth page then followed by a security prompt which ask again the credentials. After, its the same behavior if sessionIdEnabled is true. Could you provide steps or any inputs with this. Thanks and Have a Good day.

By Chris Blanton staff 14 Sep 2018 at 1:19 p.m. CDT

Chris Blanton gravatar
> After, its the same behavior if sessionIdEnabled is true. You mean that the session will maintain in your client even if you close your browser entirely?

By Jean Paul Ybanez user 17 Sep 2018 at 5:11 a.m. CDT

Jean Paul Ybanez gravatar
Hi Chris, Yes, I think so because after i login in then closed the browser and access again the application it does not redirect to login screen instead it redirect to home screen as if it is login already. BTW, im using the implicit flow with OIDC JS Client. Thanks and Good day

By Chris Blanton staff 20 Sep 2018 at 11:52 a.m. CDT

Chris Blanton gravatar
Hey Jean, Re-enable `sessionIdEnabled` and set `sessionIdLifetime` to 0. This should change the IDP `session_id` and `session_state` cookie to expire on Session.

By Chris Blanton staff 20 Sep 2018 at 11:53 a.m. CDT

Chris Blanton gravatar
> the application it does not redirect to login screen instead it redirect to home screen as if it is login already. This happens after clicking "Login" correct?

By Jean Paul Ybanez user 24 Sep 2018 at 5:06 a.m. CDT

Jean Paul Ybanez gravatar
Hi Chris, I'll try this out. > Re-enable sessionIdEnabled and set sessionIdLifetime to 0. This should change the IDP session_id and session_state cookie to expire on Session. Also, regarding this > the application it does not redirect to login screen instead it redirect to home screen as if it is login already. > This happens after clicking "Login" correct? You mean Login button in Gluu's Login page? If so, then No since it will not redirect to login screen.

By Chris Blanton staff 03 Oct 2018 at 1:40 p.m. CDT

Chris Blanton gravatar
Jean, > Re-enable sessionIdEnabled and set sessionIdLifetime to 0. This should change the IDP session_id and session_state cookie to expire on Session. I've come to the realization that this is only a feature in 3.1.4. My mistake. You can however upgrade your instance easily by using our upgrade scripts located here: [https://repo.gluu.org/upd/](https://repo.gluu.org/upd/), specifically the `3-1-4-upg.sh`. Follow [these instructions from the docs](https://gluu.org/docs/ce/upgrade/#overview) and you'll be up to date.

By Jean Paul Ybanez user 05 Oct 2018 at 4:58 a.m. CDT

Jean Paul Ybanez gravatar
Hi Chris, Sorry for the late reply. >I've come to the realization that this is only a feature in 3.1.4. My mistake. You can however upgrade your instance easily by using our upgrade scripts located here: https://repo.gluu.org/upd/, specifically the 3-1-4-upg.sh. Follow these instructions from the docs and you'll be up to date. Ah I see, so this is only possible to 3.1.4. I'll try this out soon. Thanks and Good day.