At my company, we have a security requirement to clean our tablet/mobile devices after a 60 minute idle period for Cyber Security protection. We use a product called DataSweeper that will run over a tablet/mobile device if it has been idle for 60 minutes cleaning up the apps data and cache. When this happens, the user of our application is logged out and has to log back in to the app. We have an exception in place for the mobile app space and that works for the app, but not the user logged in. This is becoming frustrating for our users and user base because they do not always have connectivity and to log back into the app, they have to get to Wi-Fi coverage to get back in and continue the work.
What we are trying to understand is:
1. Were is the user credentials stored on the device? This will help us determine if we can get an exception so the user stays logged in.
2. Can the credentials be moved to the same application space as the app on the device so the exception works for app data and user credentials?
We have tested the application without the Cyber Security requirement of DataSweeper and the user can use the app in offline mode without issue of getting logged out of the app.
Hi Jeremy,
The user credentials aren't stored in the phone as a username and password, because this would be a security problem.
When you login you create a session, and this session data, if I'm not mistaken, is stored in cordava's browser cookies.
See this docs to learn more about it.
Normally you can set the duration that this cookie will be valid, without needing to go to the server and do login again. But since you are wiping the cache of the app, you are destroying the session and this way you are forcing the users to do login again.
Of course you could store the credentials customizing your login flow, but is is not recommended in any way,
Hope it helps,
Cheers and Regards
RR :)
Thanks for your response. I will see if this helps us keep from killing the cookies that are stored when the sweeper program runs. We have an exception for the native app, but the user auth cookie was the only thing we couldn't figure out to get an exception on.
Thanks,Jeremy
Is there a way to move the auth cookies to within the application space?
We found out that the tool DataSweeper is unable to create exceptions for specific items within an app. So for the web browser it would clear all of the app and not be able to leave the token cookies. So it doesn't seem like it is going to help us unless we can move those tokens to the app container so the exception works for our scenario.
Thoughts?
I don't think you can change the location of authentication cookies in a way that cleaning the cache of the app would not clean then.
Maybe you could ask for OutSystems Support to analyze your case and see if they have any idea on how to make it happen.
The way I see for you not lose these cookies is to not clear the cache of this app. But this would really not suit your use case.
Cheers and Regards,
Thanks. I started with the support case, but they said this is not a support request which is why I asked here.
I don't think there is a solution outside of building custom auth which I do not want to do. I think we are just going to have to brainstorm ways to use the app and what impacts it might or might not have to the business.