Session Time Out automatically

Hello All,

Is there any way to terminate session automatically when user is idle for five minutes?

Can we configure this from the application?

So ideally I want that if my user doesn't make any action for five minutes, application must ask him/her to login again.

In DotNet we use "session.invalidate()" function to terminate the session when user doesn't perform any operation. So is there any way in OutSystems to automatically terminate the session?

Thanks and Regards,
Suraj Borade
Hi Suraj,

The default value for the session time-out depends on the application server:
.NET: 20 minutes and this value can be configured in machine.config file;
J2EE: 60 minutes and this value can be configured in /etc/.java/.systemPrefs/outsystems/prefs.xml file.
Is there any difference on how the platform treats session variables created by the user versus the system ones (UserId for example)? My variables allways expire before the UserId variables. Why? In fact, it seems UserId never expires. Cookies? Can I manage to get my own variables with the same treatment?
Suraj, if you want to terminate a session from a user, just call Logout. That will log him out and he'll need to log back in.

João Melo, no ... All variables in the session are treated equally, no discrimination. What you're probably experiencing is the user setting "Remember Login" when logging in. The session will all be wiped, but when the user returns to the site if he has Remember Login he will be logged back in again automatically. This will give the impression that other variables timed out sooner.

If you want to restore session variables after a session has expired, you may want to save the relevant variables into a user-associated table and restore it in the "OnSessionStart" special action.
Ok, good Ricardo. Thanks for the tips. It makes sense now. Can I change the timeout configuration on a Personal Environment?
I never actually tried it, but in theory you could use Factory Configuration to set the session timeout in your Personal environment.
Hello All, 

Thanks a lot for your reply.

Tiago Neves,
Where can I find machine.config file in OutSystems? and How should I set automatic session time out there? Can you please provide some links or screenshot?

Can we call Logout function automatically when user is idle for five minutes i.e. user is just logged in the application and not doing anything on the screen i.e. he/she is not refresing the application screen or not using any functionality in that case if he/she tries to access the application after five minutes application must ask user to login again.

I just had look in Factory Configuration application but not getting how to set session timeout. Can you please explain at what point I need to set session timeout?

Thanks a lot.

HI suraj,
machin.config is .net's config file and you can find it
[C:\WINDOWS\Microsoft.NET\Framework\<Version>\CONFIG\machine.config] where version is your .net version.

You can call logout function as and when required , also you can have a javascript timer to check if the user is idle or not and from there you can call logout function to kill user session.

Thanks Pramod.

I will check and let you know soon.
Well, answering Suraj's question on "how to use Factory Configuration", Factory Configuration works by applying a xslt transform on the web.config generated for the application. Adding settings here will override settings defined at a higher level (for example, the global machine.config or web.config files).

You have several examples of pre-made rules which you can probably adapt to your needs.

The process goes like this:

1) define a shared configuration ( XSLT Transform )
2) associate the shared configuration with a specific module

This post explains in further detail the whole process.
A small comment off-topic:

There are so many hidden treasures in the forums! I am preparing a map on these and other precious docs... Maybe I'll present something about it at our MeetOut #1.

Session timeout is not working correctly for me, the user is not logged out for hours or days. I have made changes to this file, but the system is not picking up.


Thanks and Regards,
Swapnil Gupta

Could it be that the user selected "Remember Login" ?
There is no session timeout, or it just looks like it?
It could be a similar situation, which could occur when using "Windows Integrated Authentication".
Hi Ricardo, 

Thanks for your reply!

If the user has selected "Remember Login", then configuring automatic session timeout in  /etc/.java/.systemPrefs/outsystems/prefs.xml  will not help??

Thanks amd Regards,
Swapnil Gupta
If a a user selects Remember Login on that browser they'll be logged in again when they access the application after the session times out.

So it gives the impression that the session has not timed out, when it has. If you really want users to HAVE to login again after a certain amount of inactivity, you can simply disable Remember Login from your login screen.
Dear All,

Can we create a timer - which keeps on checking session time and executes logout ?
I am not sure if this is possible, has anyone tried it already?

Thank You,
Hello Shamil,

The OutSystems Platform already has a recurrent task to clear up expired sessions from the database.

Can you please explain what you're trying to achieve a bit better?

Best regards,
Ricardo Silva
Hi Shamil,

I think I'm basically asking the same thing. My sinerio is a uses is logged in to an app and walks away for say 60mins. I want the screen to automatically refresh on the server timeout event while the user is away. I don't clients potentially senative information on display too long.

Suraj Borade wrote:
Hello All,

Is there any way to terminate session automatically when user is idle for five minutes?

 You could do this in 3 ways (choose the method that works best for you!)

1) Javascript


2) HTML 
<meta http-equiv="refresh" content="300; URL=">

(Add meta via HttpRequestHandler extension)


3) Flag
Add flag and verify flag is valid via a system event 


hello, y have a problem with the session variables,  when they is finished and the user do a action, I´d like to show login page. do you know how?

Yes, there is a way to do this, I have some sample code put together but it was an internal item so I can't really share it. Basically you push the session id into some JavaScript, then write a REST service that looks up the session to see if it should still be active or not, have the JavaScript call that REST service every minute or so, and once it gets "user session is expired" from the REST service, make sure that the user's authentication cookies get cleared and send them to the login page.


Is there any way to give the user some feedback and ask them if they want to cancel the timeout, just in case they don't want to be logged out?

Alan -

See this sample code:

It can easily be edited to meet your needs.