[FEATURE-13370] Perspective login timeout and auto-relogin

I have not configured any auto-logout scripts yet on my perspective application, but after a certain period, my users are getting automatically logged out. Is there a setting somewhere that determines this length of time? The closest thing I could find was Project Properties>Perspective>Session Timeout, but I suspect that’s more about how long the gateway considers a session active once the device disconnects, rather than a user logout. I set both Desktop and Mobile to 10 seconds to test and confirmed that it’s not related to the users.

A second quirk is that after this auto-logout occurs, if I trigger a login from e.g. a button click, it will open the login page very briefly but then instantly log in with the previously used credentials. If I trigger a logout this does not happen.

It’s as if there’s a timeout which kind-of-but-not-really logs out the current user going on?

The logging back in with previous credentials is likely due to the credentials being in the cache (logging out by clicking “Sign Out” would clear the cache), but it’s odd that your user is being logged out after a set period of time…

Is the time before log-out consistent?

Is your Gateway being restarted for any reason?

Sounds to me like one of a couple things are happening:

  1. Your browser’s web sockets are losing their connection to the gateway (bad network connectivity from browser to gateway or maybe the machine with the browser went to sleep). When the last web socket disconnects for a given (browser, project) pair, the session timeout begins. When the session timeout elapses, the perspective session for that (browser, project) pair is destroyed. Since the web auth session lives on the perspective session, it will also be destroyed. However, your browser session with the IdP may live on depending on its own session timeout. This would explain why you were able to authenticate without re-entering credentials - your browser’s cookie is still valid.

  2. You changed your IdP’s configuration while your user was logged into a perspective session. Some IdP configuration changes such as changes to the web auth strategy settings will always invalidate the web auth session in a perspective project session.

It seems more likely that #1 is happening unless you remember messing around with IdP configurations on the gateway web interface with the live perspective sessions running? Next time it happens, check to see if your browser is disconnecting from the gateway.

This is almost certainly the case - the client I’m testing is on an iPad, and the iPad is going to sleep (and, therefore, presumably dropping the perspective session). When I open it up to do some more testing, it appears logged out but “automatically” logs back in.

Is there a way to force the logout not only on idle time, but also on session disconnect? Having a session appear to be logged out, but still able to be logged back in without knowing the user name and password is definitely not ideal.

There’s conceivably a feature in having a session force logout on disconnect, but I think it’s arguably not what you want on by default. When it comes to applications on my mobile devices, logging in every time my device goes to sleep is the last thing I want as a user.

1 Like

True. How about the opposite - forcing it to re-authenticate (if the cookie is still valid, and I haven’t actively logged out) when the session re-connects? Ultimately, I just want to avoid the discrepancy between the user functionally logged in and the user with a valid cookie present. Otherwise, a user could conceivably check and see that they appear to have logged out, hand the tablet over to a less-qualified user, and that user could end up with access elevated privileges without entering a password.

Just bumping this again. @cmallonee is right in that we probably don’t want to force an auto logout on session disconnect, but I do need to find a way to make sure that if the system “looks” logged out, that it actually is logged out, and that you definitely need to enter a username and password to log back in again. Is there anything I can do to at least detect whether the login is still active?

1 Like

That is not a trivial capability but it is possible. I’ll put in a feature ticket for that.

How can we clear the cache? I have an app where they don’t want to require the operators to log in so I have autologin set. (It’s an android scan gun and difficult to type on). I also have some admin functions I don’t want them to get to. I have tried adding a button with login and logout scripts but it has odd behavior. If I have restarted the device the login or logout will do what I want and give me an opportunity to log in as admin. If I try to click it again it just immediately logs back in as the last user whether operator or admin, even if I restart the app. This means I have to restart a device if I use any admin features since that is now the only way to be logged in as an operator. I don’t think it is the autologin as I gave that operator credentials and I also deleted all passwords in the browser.

There’s a lot going on in your post which is resulting in some confusion on this end. I’m going to operate under the assumption you’re using Perspective, since this is a Perspective thread.

Auto-Login is a Vision concept and has nothing to do with Perspective, and so I’m hoping this is where the disconnect is coming into play. If you’re using Perspective, Auto-Login does nothing.

We did recognize a bug in the Logout/Login behavior of Perspective which we have fixed as of 8.0.11 (which should have RC1 out today or tomorrow), where logging out and back in fairly quickly would result in the original user being logged in instead of asking for the new user’s credentials.

So try this with the new logout/login behaviors in place and let us know if it’s still an issue.