Instance doesn't time out users as expected?

georgechen · ‎02-06-2018

Hi folks,

I am having an instance time out issue; referring to Manage user sessions , I have changed sys_properties

glide.security.csrf.handle.ajax.timeout = true

glide.ui.session_timeout = 10 (10 minutes just for testing)

glide.ui.auto_req.extend.session = false

One thing I notice that in the instance, the 'Remember me' is not visible probably it has been customized by our company, and I am wondering if I can make it visible again in order to test the time out.

Potentially I was thinking of tracking users' last activity like last time interaction over a session, and implemented a timer to time out users if being idle for a period of time.

Any advice would be highly regarded.

Thanks,

adamjgreenberg · ‎02-07-2018

George,

Do you have the "remember me" default value set to false in the system properties?

glide.ui.remember.me.default = false

Are you using SSO? If so, this will override the session_timeout variable.

georgechen · ‎02-07-2018

Thanks Adam, yes, I checked and found it already set to false. I am testing on a new dummy user again to see how it goes.

adamjgreenberg · ‎02-07-2018

George,

Can you go to sys_user_token_list.do and find the user that is not timing out? What's the value for the invalidated date? Is it null?

ETA: One more thing, what's the "expires" date? Is it the time/date that you're expecting (8 hours, 10 minutes, etc....) or is it years in the future?

Can you then check sys_user_session_list.do and look for same user, are there more than one with a NULL invalidated date?

Sorry, one final thing.

Can you check this scheduled job - Clean User Tokens

yourinstance.service-now.com/sys_trigger.do?sys_id=c4a375b27f000001013bed88b0ef199a

Is it running on a schedule? Has it run recently?

You may need to be more aggressive with the timings:

//Delete the expired tokens

var gr = new GlideRecord('sys_user_token');

gr.addQuery('expires', '<', gs.daysAgo(0));

gr.deleteMultiple();



//Delete the invalidated tokens that are more than 30 days old

gr = new GlideRecord('sys_user_token');

gr.addQuery('invalidated', '<', gs.daysAgo(30));

gr.deleteMultiple();



//Delete the tokens that are created more than 60 days ago

//If a user has a session that runs for 60 days straight, then we force a re-login

gr = new GlideRecord('sys_user_token');

gr.addQuery('sys_created_on', '<', gs.daysAgo(60));

gr.deleteMultiple();

At last resort you'd want to modify line 16 to delete the token if greater than X days.

georgechen · ‎02-07-2018

Hi Adam,

I opened the list and found 14k records in it, 44 without Invalidated populated and I can see my self in one of the record

I would be expecting the expiring date to be 10 minutes as I changed glide.ui.session_timeout to 10 as mentioned earlier ;

I can also confirm the 'Clean user tokens' is running in my testing instance, and it runs every one hour

My testing account was locked out (not sure it was 10 minutes, and I am testing again)

I was wondering if the 'glide.ui.session_timeout' was correctly set, why it wouldn't lot out users?