Inactivity timeout - log user out after X minutes? jmix 2.3.1

chicojeff · July 22, 2024, 7:02pm

I would like to ensure my users who forget to logout and leave their browser tab open are logged out automatically after a certain number of minutes. We are not high security, so 20-30 minutes would be good.

I have seen reference to the application property jmix.ui.http-session-expiration-timeout-sec in some forum topics, but this does not appear in the documentation. Setting this value does not seem to do anything.

When reading about Vaadin timeouts, there is a lot of confusion about the various settings, heartbeats, and HTTP session versus Vaadin session, etc.

The simple request is: how should I configure jmix so a user who does not touch their browser is logged out automatically after 30 minutes?

Thanks for your help!

-Jeff

p.aleksandrov · July 25, 2024, 9:32am

Hi, Jeff!

jmix.ui.http-session-expiration-timeout-sec setting is not using now.
You should use standart spring boot property server.servlet.session.timeout as it described here Servlet Web Applications :: Spring Boot and you should point out Vaadin parameter vaadin.servlet.close-idle-sessions with true value(default value is false).

The behavior of sessions expiring in Vaadin applications is describied here Application Lifecycle | Advanced Topics | Flow | Vaadin Docs.

We will discuss of adding more concrete description of it in our documentation.

Best regards!

chicojeff · July 27, 2024, 12:23pm

I think part of the problem is people only test this with 1-2 minute timeouts. The heartbeat interval default is 5 minutes, so it does not occur during the short timeouts. I tested with a 6m timeout and found I had to disable the heartbeat for it to work.

This combination of settings appears to work.

server.servlet.session.timeout=30m
vaadin.servlet.close-idle-sessions=true
vaadin.heartbeatInterval=-1