Looking for a way to display a message when a users security session expires

Docs Security and Login
#1

I have pages secured by a Security Provider Enforcer, but I’ve noticed that a session can expire (no longer technically logged in) but the page remains open and appears normal to the user. If they do a hard-refresh or similar action it will take them to the appropriate screen to sign in again. But, if they remain on the page and do things like update a form, then page acts as if it were performing the function, but since they are expired, the Server Action does not execute.

How is the best way to display a message on the screen when the session expires?

#2

I have an App Connect to a query of ‘LoggedInUser’ which has the condition in Server Connect where the UserID = Security Identity so it returns the one record of the logged in user.

I then use the scheduler to re-load that Server Connect every 2 or 3 minutes and, if it returns unauthorised then it can do anything - I redirect to the homepage but you can do anything… an alert, a login modal, hide the data, etc.

Or, assuming your Server Connect uses the Security Enforcer, then just re-load that using the scheduler as that will return ‘unauthorised’ if they’re no longer logged in.

2 Likes
#3

There is an on unauthorized binding which means you can skip the scheduler.

#4

Yes, but that would still need to be called periodically, wouldn’t it? Hence the use of the scheduler.

#5

I never found that to be honest. I just added the on unauthorized to the same action that runs my manual logout action, so in essence it does the same thing as manually clicking the logout button. I never needed a scheduler.

#6

So it runs as soon as the user is no longer logged in, including just timing out?

#7

yes, I found it out by accident because of an api that session expired after 3600 seconds. I was hoping that it could be adjusted so it could run a token refresh a minute before expiry, but it seems to run the instant the session expires.

2 Likes
#8

That is similar to the structure I use. But, I hadn’t included the scheduler to re-check authorization. I like that option.

1 Like