OAuth: Logout after 15 minutes of inactivity?

Corporate has requested that I change the inactive timeout for Sugar to 15 minutes to match their security policies across their other web/desktop applications.

I have the oauth2 lifetime's as so:

  'oauth_token_expiry' => 0,
  'oauth_token_life' => 86400,
  'oauth2' => [
    'access_token_lifetime' => 600,
    'refresh_token_lifetime' => 900,
    'max_session_lifetime' => 900
  ],

And for the most part, it works perfectly. There are some cases however where there seems to be a disconnect on the client side, and when they try to log back in, they get something along the lines of "No valid authentication for user."

They're still able to login via Incognito mode, so I know it's cache related, but does anyone have a workaround that doesn't involve excessive browser cache clearing?

Parents

0 Enrico Simonetti over 4 years ago
Hey John Hoffmann,
I did not personally experience the problem you are experiencing, but I wanted to make sure you are aware of a couple of details about one of the settings.
max_session_lifetime defines the maximum total time a user can be logged in for, unrelated to inactivity. Even if the user is logged in and active, passed that amount of time, will have to re-login.
You can read some additional details in this (old but as far as I know still actual) blog post: Session duration on Sugar 7
Another detail I wanted to mention while looking into this, is located on this link where it says that access_token_lifetime should be less than half of refresh_token_lifetime.
Perhaps if you do need something that tracks actual user inactivity you would have to have something in the ui level. A prototype of that (which I am not sure if it still works, but you could take the idea from it) is available here: https://github.com/esimonetti/SugarIdleLogout
Hope it helps
--

Enrico Simonetti

Sugar veteran (from 2007)

www.naonis.tech

Feel free to reach out for consulting regarding:

API Integration and Automation Services

Sugar Architecture

Sugar Performance Optimisation

Sugar Consulting, Best Practices and Technical Training

AWS and Sugar Technical Help

CTO-as-a-service

Solutions-as-a-service

and more!

All active SugarCRM certifications

Actively working remotely with customers based in APAC and in the United States
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Enrico Simonetti over 4 years ago
Hey John Hoffmann,
I did not personally experience the problem you are experiencing, but I wanted to make sure you are aware of a couple of details about one of the settings.
max_session_lifetime defines the maximum total time a user can be logged in for, unrelated to inactivity. Even if the user is logged in and active, passed that amount of time, will have to re-login.
You can read some additional details in this (old but as far as I know still actual) blog post: Session duration on Sugar 7
Another detail I wanted to mention while looking into this, is located on this link where it says that access_token_lifetime should be less than half of refresh_token_lifetime.
Perhaps if you do need something that tracks actual user inactivity you would have to have something in the ui level. A prototype of that (which I am not sure if it still works, but you could take the idea from it) is available here: https://github.com/esimonetti/SugarIdleLogout
Hope it helps
--

Enrico Simonetti

Sugar veteran (from 2007)

www.naonis.tech

Feel free to reach out for consulting regarding:

API Integration and Automation Services

Sugar Architecture

Sugar Performance Optimisation

Sugar Consulting, Best Practices and Technical Training

AWS and Sugar Technical Help

CTO-as-a-service

Solutions-as-a-service

and more!

All active SugarCRM certifications

Actively working remotely with customers based in APAC and in the United States
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data