How to log out a specific user

How to log out a specific user

  

Hello guys

I need to create a page where an Admin user can force every user on the application to be logged out (except the Admin themselves). I thought this was a pretty straight forward thing to do, just query all users except the Admin, and call the User_Logout for each record. The problem is that neither the User_Logout (from Users) or Logout (from System) have any input parameters. It apparently fetches the UserId from the session, and logs that user out, meaning I would only log the Admin out, which is the exact opposite of what I want. 

is there anywhere to accomplish what I'm trying?


Thanks,

Ângelo

Hi Ângelo, although the platform does not allow you to do this (see https://www.outsystems.com/ideas/1155/user-logout-optional-parameters), there is this Forge component https://www.outsystems.com/forge/component/1868/autologout/ that makes it possible to logout other sessions for the same User Id. Maybe by tweaking a little bit you can get it to work for other users as well.

EDIT: The idea is to store the sessionId of every user logged in the application. You can obtain the current sessionId by using the action GetSessionId in the HTTPRequestHandler module. Then, when you want to logout a given user, you can call a page of yours, by using the HTTPGet action of the ardoHTTP module, passing the sessionId in the value of the Cookie http header. In the preparation of the page you call the logout action.  

Let us know if it worked.

Greetings, Pedro

Hello Pedro

Thank you for your response

The problem is I want to logout every user, except the one that's actually calling the action

Regards,

Ângelo

Hi Ângelo, I've played a bit with the ideas of the https://www.outsystems.com/forge/component/1868/autologout/ Forge component and it looks as if it is possible to logout other users. 

I'm sending you an application exemplifying it. You can login in the application with multiple users. On the homepage you find a button that triggers the logout of all other users. By clicking on it all other users will be logged out. You can confirm that this is the case by trying to reload the homepage while in the browser where you logged in as a different user. You will be sent to the Login page as the user is no longer logged in.

See if this suits your needs.

Greetings, pedro


Hi Ângelo, just another idea that popped into my mind: you can achieve the same result, in case you are developing a web application, by using the OnBeginWebRequest system event (see: https://success.outsystems.com/Documentation/10/Reference/Platform_Utilities/System_Events/On_Begin_Web_Request). As this action is called on every single request, you can check in it whether the admin user as chosen to logout everyone. If this is the case, just call the Logout action. A user is not logged out the moment the admin user chooses to logout everyone, but only the next time he makes a request. In most web applications, this should produce the same behaviour. The only thing still left is to preserve the decision of the admin user in the database so that you can check it in the OnBeginWebRequest action.

This is probably less work than the possible solution I presented before.

Greetings, pedro

Pedro Rodrigues wrote:

Hi Ângelo, just another idea that popped into my mind: you can achieve the same result, in case you are developing a web application, by using the OnBeginWebRequest system event (see: https://success.outsystems.com/Documentation/10/Reference/Platform_Utilities/System_Events/On_Begin_Web_Request). As this action is called on every single request, you can check in it whether the admin user as chosen to logout everyone. If this is the case, just call the Logout action. A user is not logged out the moment the admin user chooses to logout everyone, but only the next time he makes a request. In most web applications, this should produce the same behaviour. The only thing still left is to preserve the decision of the admin user in the database so that you can check it in the OnBeginWebRequest action.

This is probably less work than the possible solution I presented before.

Greetings, pedro


Hi Pedro,

I think we need to weigh the pros/cons of each approach:

  1. Immediately logging out all users:
    • needs to store information about session cookies for everyone on session start
    • keep track of active sessions (this can be tricky and your example application doesn't really worry about it) and ideally only for actually logged in users
    • makes multiple requests to the server (one for each session/user you want to logout) 
  2. Postponing logging users out to the next time they interact with the application:
    • You need to store information about:
      • "Admin" decision to logout everyone.
      • Who was already logged out based on said decision (per logged in user, store information so that the next time they access the application after login, the OnBeginWebRequest won't log them out immediately)
    • You are also constantly executing extra logic/queries on all requests (including Ajax requests), which might slow down the overall experience.

After analysing both approaches, I'd probably favour the second one, but it'll depend on Ângelo's requirements.

Solution

I tried implementing a generic component that implemented option 2 above... hit a wall, due to the nature of OnBeginWebRequest and OnSessionStart.

Complementing the sample solution Pedro provided above implementing option 1, attached you can find a working solution and also the failed attempt using a reusable component (2 different screens on the same application).

Solution

Thanks Jorge


That was very helpful


Best regards,

Ângelo