I search the official website and know that a default session timeout is 30 minutes. I want to change it to be 5minutes because i want to count an active user after 5 minutes only.
I cannot find any method to edit the session timeout in firebase dashboard. Can anyone help?
Related
I am using ADB2C (IEF Custom policies and User Flows) to implement signin on a .NET Core WebApp using OpenID (OIDC).
When users login to my app, I am able to check their logged in status using the standard
User.Identity.IsAuthenticated
However, if I close my browser and come back to the app after some time, this logged in status of the user is lost UNTIL I visit the login policy, at which point it auto logs me in.
Is there a simple way to persist the authentication status longer in the cookie so that this step is not needed? I have read in places that there is a way to hold it for 90 days but cant find much info on how to implement this.
In B2C The maximum cookie session time you can configure is 1440 Minutes For Configuring session behavior please go through the document User flows and Custom policy.
Web app session lifetime (minutes) - The lifetime of Azure AD B2C's session cookie stored on the user's browser upon successful authentication.
• Default = 1440 minutes.
• Minimum (inclusive) = 15 minutes.
• Maximum (inclusive) = 1440 minutes.
There is a Keep me signed-in feature which extends the session life time through the use of a persistent cookie. The session remains active after the user closes and reopens the browser. The session is revoked only when a user signs out. The Keep me signed-in feature only applies to sign-in with local accounts. Please refer the document for more information.
Regarding the Persistent tokens lifetime of 90 days it is related to the Azure AD SSO session tokens for that configuration you can refer the document
We have got requirement to restrict concurrent login of same user across 2 Web Applications.
We have 2 Web Applications for example: WebApp1, WebApp2.
User: Dashboard
If Dashboard user is logged into WebApp1 then the same user is not allowed to login to WebApp2 instead show error message on second login.
Tried Solution:
Block 2nd login with same user id if there is an active session and show error message to user.
The idea is to maintain user id, Application Name and session id in DB. On second login of same user check if record exist in DB table against the user id then block 2nd login and show error message to user.
Clear the DB record (UserId, Session Id, and Application Name) in following
scenarios:
Logout
Session Timeout
Restart of Application.
Not Sure how to handle below scenarios.
Close Browser.
Browser Crash
System Crash
If 2nd login request is from valid user then Admin should able to Invalidate the session of first login as this user is attacker.
what is best way to invalidate Http session of WebApp2/ WebApp1?
If you really need to know the state of the first session, I would skip trying to manage sessions in the server, and instead maintain a heartbeat from the client. Have the client make a request every 5 seconds to the server which updates a "Last Seen" record, which includes their IP address and which app they are from, and whether "Last Seen" was a logout event.
Then the other app can interrogate "Last Seen", and if it's more than 5 seconds (I'd actually bump it to 10 for the interrogation), or a LogOut event, assume that the first session went away, and that they are free to log into the second application. If "Last Seen" is less than 5-10 seconds, bump them both out and alert the admin with both the IP Addresses to decide which one should be killed.
In addition to what you have, you could save last activity time in your session DB, and update it, when there is a session update, how often ( every request or once in 5 min for example) it depends on your requirements. Then in case of app/browser/system restart, you log in user, even if record exist, if it is older that session timeout. And you can have admin user that can manually delete entry if required.
The other solution would be to always log in new app, and logout the old one. But that would require introducing additional logic in the application to check if session is still valid.
Is it possible to disable authenticated user in timely matter like trial version for a certain days or hours? Is it possible to do it programmatically? If i'm not mistaken, I can't find a settings within Firebase Authentication Console..
When you hover over a use in the Firebase Auth panel of the Firebase Console, you can see an overflow menu. That menu contains the option to disable the user's account:
This will prevent the user from logging in in the future. It will not immediately disable their access to the app, since their current access token may still be valid for up to an hour. If you want to immediately prevent the user from accessing your app, you'll also want to implement a secondary authorization mechanism, such as keeping a list of banned users in the Firebase Database.
I am using anonymous authentication with Firebase. I know that I can set x hours of session timeout.
To me, it doesn't make sense to timeout a user when he/she is active on the site. Is there a way to extend a user's session when the website is being used actively?
There is currently no way to extend or refresh a Firebase authentication token after it's been minted.
You can monitor .info/authenticated to detect when the user gets unauthenticated.
I have a requirement to make login sessions expire after 24 hours and currently use the following:
Accounts.config({
loginExpirationInDays: 1
});
It appears that a new login token is only created when the user logs out and logs back in, not when login type: resume (such as a page refresh).
If I wanted to make it so that login expiration occured after 24 hours of inactivity, would there be a recommended approach? I think it would be pretty annoying for a user to suddenly be logged out while they are using the application. Or maybe I still have this wrong? Also, can someone confirm that previous login tokens are removed or invalidated after logging out?
Detecting inactivity isn't specific to Meteor, so you might try looking into something like jquery-idle-timeout or jquery-inactivity-timeout. Once you detect inactivity, you can just use Meteor.logout() to log the user out.