Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logout on inactive #58

Merged
merged 6 commits into from
Nov 5, 2020
Merged

Logout on inactive #58

merged 6 commits into from
Nov 5, 2020

Conversation

jasalisbury
Copy link

Description of change
The idle modal shows after 25 minutes of inactivity. After 30 minutes of inactivity the user is logged out of the TTA smart hub. If the user becomes active while the modal is displayed it is hidden and the counters are reset.

Currently when the modal is shown the message says how long the user has until logout when the modal was first shown. I see two ways to improve the user experience:

  1. We have a running countdown that updates until the user is logged out (e.g. T-minus 1 minute 2 seconds until logout)
  2. We display the actual time at which the user is logged out (e.g. 10:55 am)

How to test

I've set sandbox to show the logout modal at 1 minute of inactivity and to logout users after an additional minute (2 minutes total). I'll need to remember to update the environment variables to 25 minutes (modal) and 30 minutes (logout) before merging.

  1. Browse to sandbox https://tta-smarthub-sandbox.app.cloud.gov/
  2. Login
  3. Become inactive for a minute, note the modal
  4. Wait an additional minute to get logged out

Notes

  • We cannot set frontend environment variables per environment since they have to be set at build time. We will need to figure out how to do so soon. I can see us wanting to set feature flags for one environment but not another.
  • I added a timeout to the session cookie sent from the server. The timeout is currently set at 30 minutes. This timeout is updated every time the user hits the server. There is a potential issue if a user is active on a page but not making API calls for 30 minutes. In that case the user's session will expire but they won't get explicitly logged out on the frontend. If this happens the next call to the API will give a 401, which we will need to handle. I gave some thought to having a 'heartbeat' API endpoint that gets hit periodically, but things get complicated when combined with the inactivity timeout. Let me know if you have any ideas!

Issue(s)

Checklist

  • Meets issue criteria
  • Code tested
  • Meets accessibility standards (WCAG 2.1 Levels A, AA)
  • [n/a] Documentation updated

@jasalisbury
Add idle modal
6c9f26e 
The idle modal shows after 25 minutes of inactivity. After 30 minutes of
inactivity the user is logged out of the TTA smart hub. If the user
becomes active while the modal is displayed it is hidden and the 25 and
30 minute count is reset.

Currently when the modal is shown the message says how long the user has
until logout when the modal was first shown. I see two ways to improve
the user experience:

 1. We have a running countdown that updates until the user is logged
out
 2. We display the actual time at which the user is logged out (e.g. 10:55
am)
@jasalisbury
Set sandbox branch
e746816
@jasalisbury
Copy link
Author

Screenshot from 2020-11-02 12-34-01
Screenshot from 2020-11-02 12-34-40

kryswisnaskas
kryswisnaskas approved these changes Nov 5, 2020
View reviewed changes
Copy link
Collaborator

@kryswisnaskas kryswisnaskas left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! 👍

One comment on the text. Should "You will automatically be logged out..." be "You will be automatically logged out..." It sounds better, although I'll defer to @arickalewis1 on it.

There is a potential issue if a user is active on a page but not making API calls for 30 minutes. In that case the user's session will expire but they won't get explicitly logged out on the frontend. If this happens the next call to the API will give a 401, which we will need to handle. I gave some thought to having a 'heartbeat' API endpoint that gets hit periodically, but things get complicated when combined with the inactivity timeout. Let me know if you have any ideas!

This might be less of an issue with an autosave which will send changes to the database. I think if we redirect users to login on the backend when using various endpoints, we would eliminate the scenario when someone is active and just reading (not using the backend api) and then clicking to access the api.

@rahearn
Copy link

rahearn commented Nov 5, 2020

the scenario when someone is active and just reading

I do worry about this scenario, especially for the PS users, since they won't really be entering any data into the system for the MVP (though theoretically/hopefully they'll be hitting various GET endpoints as they navigate to different reports). What about the inactivity timeout was causing issues?

Potential idea: hit a heartbeat api every 15 minutes as long as the page is open in a browser tab. That will keep the backend session open while the user is potentially just reading, but allow the timeout to happen if the tab is closed. If the frontend timeout triggers because the tab is open but abandoned, then its proactive call to 'logout' will override the heartbeat keeping things alive.

@jasalisbury jasalisbury mentioned this pull request Nov 5, 2020
Closed
1 task
@jasalisbury
Copy link
Author

the scenario when someone is active and just reading

I do worry about this scenario, especially for the PS users, since they won't really be entering any data into the system for the MVP (though theoretically/hopefully they'll be hitting various GET endpoints as they navigate to different reports). What about the inactivity timeout was causing issues?

Potential idea: hit a heartbeat api every 15 minutes as long as the page is open in a browser tab. That will keep the backend session open while the user is potentially just reading, but allow the timeout to happen if the tab is closed. If the frontend timeout triggers because the tab is open but abandoned, then its proactive call to 'logout' will override the heartbeat keeping things alive.

HHS#132

@jasalisbury jasalisbury merged commit 43d213c into main Nov 5, 2020
@jasalisbury jasalisbury deleted the js-79-logout-on-inactive branch November 5, 2020 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kryswisnaskas kryswisnaskas kryswisnaskas approved these changes

@SarahJaine SarahJaine Awaiting requested review from SarahJaine

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jasalisbury @rahearn @kryswisnaskas