Description

LogicNets has a session timeout mechanism that sets a timeout window when a user logs into an application. The system expires a user's session and logs the user out of an application after that timeout period. A client-side script blanks out the application screen.

When used in relation to framework-based projects, the system must manage the interaction between the parent application—for example, the starter app—and the child application, for example the assessment. The mechanism keeps the parent application active as long as the user continues to interact with the child application.

See Session Expiry for information on setting the session timeout.

Authentication Token

The updated expiry mechanism includes an authentication token, which the system shares between the parent and child applications. This token, like the session, also has an expiry window, but the token is refreshed as the user works in the child application. The parent application checks on the authentication token to determine if the session should be expired. The authentication expiration window is session timeout + refresh frequency.

Authentication Token Update Frequency

The call from the system to refresh the authentication token is an expensive call, especially if the authentication token is stored with an external IDP. Therefore, the expiration mechanism includes the concept of an update frequency. This minimizes updates to the authentication token.  

The system refreshes the authentication token when a request comes in after the update-frequency window has been passed but the system is still within the expiry limit of the authentication token. It also refreshes the token when the user switches between the applications, as this is considered implicit login. 

Session Expiry with Remote/External IdP

When the user is authorized via remote/external IdP, the Access Token supplied by the remote IdP can expire. At this time, the local session will also be expired, unless it is refreshed using the remote IdP Refresh Token. 

Important Notes:

• Watchout that the LogicNets session timeout and IdP session timeout are set according to desired effect - the automatic log out will occur only after the longer of the two timeout settings.
• Not all IdPs will revoke the refresh token when a user logs out. The IdPs each have their own policies on token expiry. For example, Microsoft refresh tokens are expired after 24 hours. (see Refresh tokens in the Microsoft identity platform - Microsoft identity platform | Microsoft Learn).