OAuth: Logout after 15 minutes of inactivity?

Corporate has requested that I change the inactive timeout for Sugar to 15 minutes to match their security policies across their other web/desktop applications.

I have the oauth2 lifetime's as so:

  'oauth_token_expiry' => 0,
  'oauth_token_life' => 86400,
  'oauth2' => [
    'access_token_lifetime' => 600,
    'refresh_token_lifetime' => 900,
    'max_session_lifetime' => 900
  ],

And for the most part, it works perfectly.  There are some cases however where there seems to be a disconnect on the client side, and when they try to log back in, they get something along the lines of "No valid authentication for user."

They're still able to login via Incognito mode, so I know it's cache related, but does anyone have a workaround that doesn't involve excessive browser cache clearing?

Parents
  • Hey John Hoffmann,

    I did not personally experience the problem you are experiencing, but I wanted to make sure you are aware of a couple of details about one of the settings.

    max_session_lifetime defines the maximum total time a user can be logged in for, unrelated to inactivity. Even if the user is logged in and active, passed that amount of time, will have to re-login.

    You can read some additional details in this (old but as far as I know still actual) blog post: Session duration on Sugar 7

    Another detail I wanted to mention while looking into this, is located on this link where it says that access_token_lifetime should be less than half of refresh_token_lifetime.

    Perhaps if you do need something that tracks actual user inactivity you would have to have something in the ui level. A prototype of that (which I am not sure if it still works, but you could take the idea from it) is available here: https://github.com/esimonetti/SugarIdleLogout 

    Hope it helps

    --

    Enrico Simonetti

    Sugar veteran (from 2007)

    www.naonis.tech


    Feel free to reach out for consulting regarding:

    • API Integration and Automation Services
    • Sugar Architecture
    • Sugar Performance Optimisation
    • Sugar Consulting, Best Practices and Technical Training
    • AWS and Sugar Technical Help
    • CTO-as-a-service
    • Solutions-as-a-service
    • and more!

    All active SugarCRM certifications

    Actively working remotely with customers based in APAC and in the United States

Reply
  • Hey John Hoffmann,

    I did not personally experience the problem you are experiencing, but I wanted to make sure you are aware of a couple of details about one of the settings.

    max_session_lifetime defines the maximum total time a user can be logged in for, unrelated to inactivity. Even if the user is logged in and active, passed that amount of time, will have to re-login.

    You can read some additional details in this (old but as far as I know still actual) blog post: Session duration on Sugar 7

    Another detail I wanted to mention while looking into this, is located on this link where it says that access_token_lifetime should be less than half of refresh_token_lifetime.

    Perhaps if you do need something that tracks actual user inactivity you would have to have something in the ui level. A prototype of that (which I am not sure if it still works, but you could take the idea from it) is available here: https://github.com/esimonetti/SugarIdleLogout 

    Hope it helps

    --

    Enrico Simonetti

    Sugar veteran (from 2007)

    www.naonis.tech


    Feel free to reach out for consulting regarding:

    • API Integration and Automation Services
    • Sugar Architecture
    • Sugar Performance Optimisation
    • Sugar Consulting, Best Practices and Technical Training
    • AWS and Sugar Technical Help
    • CTO-as-a-service
    • Solutions-as-a-service
    • and more!

    All active SugarCRM certifications

    Actively working remotely with customers based in APAC and in the United States

Children
No Data