I would like to ensure my users who forget to logout and leave their browser tab open are logged out automatically after a certain number of minutes. We are not high security, so 20-30 minutes would be good.
I have seen reference to the application property jmix.ui.http-session-expiration-timeout-sec in some forum topics, but this does not appear in the documentation. Setting this value does not seem to do anything.
When reading about Vaadin timeouts, there is a lot of confusion about the various settings, heartbeats, and HTTP session versus Vaadin session, etc.
The simple request is: how should I configure jmix so a user who does not touch their browser is logged out automatically after 30 minutes?
jmix.ui.http-session-expiration-timeout-sec setting is not using now.
You should use standart spring boot property server.servlet.session.timeout as it described here Servlet Web Applications :: Spring Boot and you should point out Vaadin parameter vaadin.servlet.close-idle-sessions with true value(default value is false).
I think part of the problem is people only test this with 1-2 minute timeouts. The heartbeat interval default is 5 minutes, so it does not occur during the short timeouts. I tested with a 6m timeout and found I had to disable the heartbeat for it to work.