Session Time Out automatically

Hello All,

Is there any way to terminate session automatically when user is idle for five minutes?

Can we configure this from the application?

So ideally I want that if my user doesn't make any action for five minutes, application must ask him/her to login again.

In DotNet we use "session.invalidate()" function to terminate the session when user doesn't perform any operation. So is there any way in OutSystems to automatically terminate the session?

Thanks and Regards,
Suraj Borade
Hi Suraj,

The default value for the session time-out depends on the application server:
.NET: 20 minutes and this value can be configured in machine.config file;
J2EE: 60 minutes and this value can be configured in /etc/.java/.systemPrefs/outsystems/prefs.xml file.
Is there any difference on how the platform treats session variables created by the user versus the system ones (UserId for example)? My variables allways expire before the UserId variables. Why? In fact, it seems UserId never expires. Cookies? Can I manage to get my own variables with the same treatment?
Suraj, if you want to terminate a session from a user, just call Logout. That will log him out and he'll need to log back in.

João Melo, no ... All variables in the session are treated equally, no discrimination. What you're probably experiencing is the user setting "Remember Login" when logging in. The session will all be wiped, but when the user returns to the site if he has Remember Login he will be logged back in again automatically. This will give the impression that other variables timed out sooner.

If you want to restore session variables after a session has expired, you may want to save the relevant variables into a user-associated table and restore it in the "OnSessionStart" special action.
Ok, good Ricardo. Thanks for the tips. It makes sense now. Can I change the timeout configuration on a Personal Environment?
I never actually tried it, but in theory you could use Factory Configuration to set the session timeout in your Personal environment.
Hello All, 

Thanks a lot for your reply.

Tiago Neves,
Where can I find machine.config file in OutSystems? and How should I set automatic session time out there? Can you please provide some links or screenshot?

Ricardo,
Can we call Logout function automatically when user is idle for five minutes i.e. user is just logged in the application and not doing anything on the screen i.e. he/she is not refresing the application screen or not using any functionality in that case if he/she tries to access the application after five minutes application must ask user to login again.

I just had look in Factory Configuration application but not getting how to set session timeout. Can you please explain at what point I need to set session timeout?

Thanks a lot.


HI suraj,
machin.config is .net's config file and you can find it
[C:\WINDOWS\Microsoft.NET\Framework\<Version>\CONFIG\machine.config] where version is your .net version.

You can call logout function as and when required , also you can have a javascript timer to check if the user is idle or not and from there you can call logout function to kill user session.

Thanks Pramod.

I will check and let you know soon.
Well, answering Suraj's question on "how to use Factory Configuration", Factory Configuration works by applying a xslt transform on the web.config generated for the application. Adding settings here will override settings defined at a higher level (for example, the global machine.config or web.config files).

You have several examples of pre-made rules which you can probably adapt to your needs.

The process goes like this:

1) define a shared configuration ( XSLT Transform )
2) associate the shared configuration with a specific module

This post explains in further detail the whole process.
A small comment off-topic:

There are so many hidden treasures in the forums! I am preparing a map on these and other precious docs... Maybe I'll present something about it at our MeetOut #1.
Hi,

Session timeout is not working correctly for me, the user is not logged out for hours or days. I have made changes to this file, but the system is not picking up.

/etc/.java/.systemPrefs/outsystems/prefs.xml 



Thanks and Regards,
Swapnil Gupta

Could it be that the user selected "Remember Login" ?
There is no session timeout, or it just looks like it?
It could be a similar situation, which could occur when using "Windows Integrated Authentication".
Hi Ricardo, 

Thanks for your reply!

If the user has selected "Remember Login", then configuring automatic session timeout in  /etc/.java/.systemPrefs/outsystems/prefs.xml  will not help??


Thanks amd Regards,
Swapnil Gupta
If a a user selects Remember Login on that browser they'll be logged in again when they access the application after the session times out.

So it gives the impression that the session has not timed out, when it has. If you really want users to HAVE to login again after a certain amount of inactivity, you can simply disable Remember Login from your login screen.
Dear All,

Can we create a timer - which keeps on checking session time and executes logout ?
I am not sure if this is possible, has anyone tried it already?

Thank You,
Shamil
Hello Shamil,

The OutSystems Platform already has a recurrent task to clear up expired sessions from the database.

Can you please explain what you're trying to achieve a bit better?

Best regards,
Ricardo Silva
Hi Shamil,

I think I'm basically asking the same thing. My sinerio is a uses is logged in to an app and walks away for say 60mins. I want the screen to automatically refresh on the server timeout event while the user is away. I don't clients potentially senative information on display too long.

Cheers
Steve
Suraj Borade wrote:
Hello All,

Is there any way to terminate session automatically when user is idle for five minutes?

 
 You could do this in 3 ways (choose the method that works best for you!)

1) Javascript
<script>setTimeout(function(){window.location.href='https://www.domain.com/app/Logout.aspx/'},300000);</script>

OR

2) HTML 
<meta http-equiv="refresh" content="300; URL=https://www.domain.com/app/Logout.aspx/">

(Add meta via HttpRequestHandler extension)

OR

3) Flag
Add flag and verify flag is valid via a system event 

 

hello, y have a problem with the session variables,  when they is finished and the user do a action, I´d like to show login page. do you know how?

Yes, there is a way to do this, I have some sample code put together but it was an internal item so I can't really share it. Basically you push the session id into some JavaScript, then write a REST service that looks up the session to see if it should still be active or not, have the JavaScript call that REST service every minute or so, and once it gets "user session is expired" from the REST service, make sure that the user's authentication cookies get cleared and send them to the login page.


J.Ja

Is there any way to give the user some feedback and ask them if they want to cancel the timeout, just in case they don't want to be logged out?

Alan -

See this sample code:

https://www.outsystems.com/forge/component/1886/login-session-timeout-sample/

It can easily be edited to meet your needs.

J.Ja

Such monstrous workarounds for such a simple task. That's the beauty of Outsystems.

Alexander Hagen-Thorn wrote:

Such monstrous workarounds for such a simple task. That's the beauty of Outsystems.

I would say that the beauty of OutSystems is that even when you need to do a "monstrous workaround" to something, having a good team, you still are able to deliver your application (with quality), much faster with fewer developers than the ones that would be needed if using a different technology. With the advantage of being easier to maintain the application later... :)

Nevertheless, what would be a way to solve this in OutSystems, from your point of view? I mean, what would you change in the OutSystems platform to simplify this task?

Cheers!


Eduardo Jauch wrote:

Alexander Hagen-Thorn wrote:

Such monstrous workarounds for such a simple task. That's the beauty of Outsystems.

I would say that the beauty of OutSystems is that even when you need to do a "monstrous workaround" to something, having a good team, you still are able to deliver your application (with quality), much faster with fewer developers than the ones that would be needed if using a different technology. With the advantage of being easier to maintain the application later... :)

Nevertheless, what would be a way to solve this in OutSystems, from your point of view? I mean, what would you change in the OutSystems platform to simplify this task?

Cheers!


Hi Eduardo,

To simplify this particular task, it would be nice if Outsystems support the session timeout per-application as an easy accessible setting. Probably the same thing you do with your extension, just to have it out of the box.

It is not a problem that this particular feature is not there, but this is an example of a common problem we have with systems of this kind: if a feature is not included, it becomes considerably harder to do the thing than it would be with bare vanilla technologies (like ASP.NET in this case). In this example, instaed of adding a single line of code to my project, I have to involve all the extension-making machinery.

I agree, you are still able to deliver. And this creates an illusion of success, even if you spent more effort than you could otherwise. 

I have worked with Outsystems for about a year by now, our company parntered with Outsystems, and this collaboration is a crazy success from managers perspective: we have new clients (attracted by easy and quick delivery motto), we have new projects, and we are able to deliver -- so nice! But as a developer, I often suffer and remember the metaphors of "trying to paint the room through a keyhole" and "getting the monkey and the whole jungle when you only need a banana".

So my opinion is: Outsystems is a successful marketing project, which really helps to make profit, but it is not a good development tool. 

I mean, if you give Outsystems to unexperienced developers, they still will produce crap. That is why you have to provide all those tutorial cources and certification system. But an experienced developer will feel more comfortable with vanilla technologies.

I am sorry for the offtop here. I probably should not make my comment in the first place, it was just emotional.

Hi Alexander,

You say that your managers are happy, the customers are happy, and that you are able to deliver.
But you are not happy.

I think you are not happy and have this impression that OutSystems is not a "good" development platform, because you are focusing on the wrong things.

An OutSystems Team with 1/3 of the number of (good) developers deliver a fully functional and high-quality application in 1/3 of the time it would be required if using "vanilla" technologies. And this in the wors case scenario. I saw much better.

That's what makes your managers and customers happy. This is not marketing.

In the end, all technologies have things that are easier or harder to do on them. What matters is the time it takes for you to deliver the solution, with good quality.

OutSystems will not make out of anyone a good developer, as much as any other language/development tool. And like any other development tool, you need to learn how to use it. OutSystems is a Low Code platform, not a No Code one. You are still developing. 

In the end, I don't agree that an experienced developer will feel more comfortable with vanilla technology. I am one, and I know a lot of them, and very few of them, after starting working with OutSystems, wants to work with vanilla technologies again.

Of course, many of them would if it pays better ;)

If you'd like, we can continue this conversation in private (to avoid a long thread on a closed topic). I would like to know your experience in OutSystems to understand better why it makes you feel like you say. :)

Cheers!