How do you logout a user from the server in PHP?

I want to create a customisation that logs users out after a certain time of inactivity since closing Sugar in their browser (e.g. log out at night). I need this separate from Oauth token lifetimes so that APIs and the Outlook Plugin can still be configured to never log off.

I'm trying to find a way to log the current user out in Sugar using PHP. I've looked at these files and tried their logout implementations with appropriate adjustments in a custom logic hook and a custom entry point, but none have worked:

clients/base/api/OAuth2Api.php
modules/Users/Logout.php

Do you know of any method of logging out a user without using the browser?

Parents

0 Hector Rios over 6 years ago

Hi
check out this blog post: Session duration on Sugar 7 | Enrico Simonetti [dot com]
From that post you could try removing entries from oauth_tokens table.
HTH
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Artis Plocins over 6 years ago in reply to Hector Rios

Thanks, that's a very helpful article in general!
But it even says that just the table won't be enough:
If the entries are only removed from the database table, it will only fail to re-generate the next token as soon as the current one expires, but it will not logout the users right away.
And I believe there must be a clean method of logging a user out already available, since Sugar does that through the API and in other places. It's weird though that the same code doesn't work in an entry point or a logic hook.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Enrico Simonetti over 6 years ago in reply to Artis Plocins
Hi Artis Plocins,
If you need a user to be logged out after X minutes since login (independently from user activity), you can achieve so by setting the configuration option as stated on the blog post:
$sugar_config['oauth2']['max_session_lifetime'] = <seconds>;
Alternatively, if you need an idle logout triggered client side, I did a POC for a similar use case quite some time ago that you could have a look at as a starting point, and see if it still works. The POC would only apply to browser based inactivity (not mobile or plugins) and it is i initiated client side. The code can be found here: GitHub - esimonetti/SugarIdleLogout: Idle based automatic logout from web browser ui
Also, do remember that this could cause issues if the users have unsaved work on their browsers and the system logs them out.
As a disclaimer, as usual please note that any of the code changes samples provided are "as is" and it would be your responsibility to maintain and support.
--

Enrico Simonetti

Sugar veteran (from 2007)

www.naonis.tech

Feel free to reach out for consulting regarding:

API Integration and Automation Services

Sugar Architecture

Sugar Performance Optimisation

Sugar Consulting, Best Practices and Technical Training

AWS and Sugar Technical Help

CTO-as-a-service

Solutions-as-a-service

and more!

All active SugarCRM certifications

Actively working remotely with customers based in APAC and in the United States
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Claus Schiller over 6 years ago in reply to Enrico Simonetti

Hi Artis Plocins
Deleting entries from the oauth_tokens table will not just cause the regeneration of the next token to fail as soon as the current one expires.
It will also logout the users, however not right away, but within 2 min: The oauth_tokens table is checked every 2 mins if the refresh token still exists. If not, the access token is set to NULL and the session is logged out.
See include/SugarOAuth2/SugarOAuth2Storage.php
...
const TOKEN_CHECK_TIME = 120;
...
public function getAccessToken($oauth_token)
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Claus Schiller over 6 years ago in reply to Enrico Simonetti

Hi Artis Plocins
Deleting entries from the oauth_tokens table will not just cause the regeneration of the next token to fail as soon as the current one expires.
It will also logout the users, however not right away, but within 2 min: The oauth_tokens table is checked every 2 mins if the refresh token still exists. If not, the access token is set to NULL and the session is logged out.
See include/SugarOAuth2/SugarOAuth2Storage.php
...
const TOKEN_CHECK_TIME = 120;
...
public function getAccessToken($oauth_token)
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data