Greenlight - Idle session timeout

[Jeffry Johnson]

We have the need to set an idle timeout of 10 min on greenlight so if a user sits on the page for 10 min or more not doing anything, they need to get logged out automatically. Is there a setting somewhere that we can set for this?

[AMIR KHEMISSI]

Hi Jeffry,

I hope that this finds you well,

After reading your question I want to make sure that I've fully comprehended your needs.
So, you want to make some changes to the Greenlight project to invalidate sessions after an idle timeout of ten minutes elapses meaning that:
1. If a logged in user who haven't made any interaction with the server for a period of time that exceeds or equals ten minutes, this user on the next interaction with the server will get automatically logged out.
2. If a logged in user who have made an interaction with the server before the ten minutes time window elapses they will reset their timeout for the next ten minutes counting from the request timestamp.

If that's the case then here's a quick solution that may answer your needs:

https://github.com/kh-amir-tn/greenlight/tree/SUPPORT-0NQwX7So57M

I recommend that you check what changed and try to understand it in case you want to make some modifications.

In case you are going to use it be aware that it hadn't been subject to extensive testing, with that said it doesn't mean that it's unsafe to be rolled out but I recommend that you test it on a small portion of your users or on a development environment to avoid any inconsistencies.

The solution will simply:

1. Add an attribute to the sessions hash that I called latest_interaction and which will hold the timestamp of the latest request made to the server with that particular session.

2. With each authenticated request  the current_user method in the Application controller will check the latest_interaction timestamp if it's older then what's allowed.

If the latest_interaction was made before at least a Rails.configuration.session_idle_timeout seconds then the method will:

- Reset the session -> logging out the user.

- Redirect them back to root_path with an alert banner indicating that their session was idle and it got timed out.

The Rails.configuration.session_idle_timeout will default to 10 minutes in seconds and to avoid building a new image once you decide to change the timeout window you can inject it externally throw the environmental variable SESSION_TIMEOUT and restart the application.

For a seamless integration any already active sessions will automatically pick the first interaction timestamp after the upgrade as their latest_interaction session metadata.

For each request within the allowed time frame each session will get their latest_interaction timestamp updated with the event timestamp.

I also invite you to give me a feedback once you test it out and if you believe that it comes with great use even for other deployments I request you to open an issue here in https://github.com/bigbluebutton/greenlight/issues so that we can add this in upcoming versions.

Hope that helps,

Amir,

Greenlight maintainer,

[Jeffry Johnson]

That is exactly what we're looking for! We will absolutely take a closer look at this. Thank you VERY much!

[AMIR KHEMISSI]

You are VERY welcome,