Setting up the automatic logout using CookieAuthentication
Learn how to customize the web session duration and behavior for all system users, using the CookieAuthentication settings.
By default, the i4connected system has a predefined CookieAuthentication expiration time of 14 days, which slides by default The current tutorial describes the needed steps on how to customize the web session duration and the behavior that is applied to all system users.
For a better understanding of the setup procedure, here are some notions about the access token and cookie authentication.
An access token and a session is automatically created by the system each time a user logs into the i4connected web portal, using a set of valid credentials. User tokens can be seen in the portal, under User info panel by clicking the User tokens tile.
The access token contains the security credentials for the current login session and it is renewed based on periodical API requests. By enabling the cookie authentication settings, you can configure the expiration time span and behavior as follows:
Open the appsetting.json file, available under your i4connected Identity folder, on the machine running the i4connected installation.
Identify the CookieAuthentication settings and enable (uncomment) them. To configure the settings, proceed as follows:
Set the SlidingExpiration property to True.
Tip
The sliding expiration attribute can be set to True or False.
When setting the SlidingExpiration to True, the cookie lifetime is automatically extended if the user actively uses the web app. The SlidingExpiration is set to true to instruct the handler to reissue a new cookie with a new expiration time when a new request is processed, which is more than halfway through the expiration window. Therefore, in our example, if the user logs into the system at 03:00 PM, the current session will be automatically extended, as long as the user actively uses the web app. If the user closes the browser where the web app is opened, the session will expire at 03:05 PM, resulting in an automatic logout action. However, if the user decides to reopen the web app at 03:04 PM, because the session is still active, the user will not be required to reenter his/her credentials, and the cookie will be extended by another 5 minutes. If the web app is reopened at 03:02 PM, the cookie will NOT be extended, but it will be persisted until 03:05 PM when it will expire, and will be extended ONLY if the web app is still opened in the browser.
When setting the SlidingExpiration to False, the cookie lifetime is not extended if the user actively uses the web app, instead, it will expire when the time interval set for the ExpireTimeSpan setting ends. Additionally, in case the SlidingExpiration property is set to False, and you want the cookie to persist across browser sessions you can enable the Remember me checkbox on the sign in page. Therefore, if the browser is closed and reopened inside of the defined expiration lifetime, the user will not be required to reenter his/her credentials.
Set the ExpireTimeSpan to 5 minutes.
Tip
The ExpireTimeSpan controls how much time the authentication cookie will remain valid from its creation point.
The value format of the ExpireTimeSpan setting is DD.HH:MM:SS (Days, Hours, Minutes, Seconds). Depending on the selection done here, the session will expire within the defined interval.
Make sure that your changes are saved.
Open the appsetting.json file, available under your i4connected API folder, on the machine running the i4connected installation and proceed with the same settings as done for the Identity folder.
Set the SlidingExpiration property to True.
Set the ExpireTimeSpan to 5 minutes.
Make sure your changes are saved.
To apply the above settings, please make sure to Restart Internet Information Services (IIS).
It is recommendable to perform a manual logout and login from the i4connected web portal after applying the new settings.
Tip
You may also delete the cookie in the browser for the changes to be applied.
Note
If you want to configure the access token duration, please proceed as follows:
Next, connect to your i4connected database server, using either the Azure Data Studio or Microsoft SQL Server Manager Studio.
Open the Clients table and identify the i4connected client to set the desired value for the AccessTokenLifetime setting. For this tutorial we have set the AccessTokenLifetime to 180 seconds, therefore a new access token request will be generated every 3 minutes.
Please save your changes.
Warning
Please note that the above tutorial uses short lifetime sessions for demonstrative purposes only. It is recommended to set larger expiry values and higher access token lifetime if needed.
When enabling the automatic logout option, it is important to know that these settings are globally applied, for all the i4connected system users.