Firebase auth state persistence with session timeout

1,108 views
Skip to first unread message

Evan Miller

unread,
Dec 29, 2018, 12:18:55 PM12/29/18
to Firebase Google Group
I have a web based application that consists of multiple pages. When the user navigates from one portion of the site to another they move between these pages. I need to ensure that when a user has been logged in for an extended period of time, they get automatically signed out.

After reading through the Authentication State Persistence section of the Firebase docs it doesn't seem like this is an option. I can pick between 'session' and 'none' types of state persistence, but none of these accomplish exactly what I am trying to do. Session won't work when the user moves between pages, and 'none' is even more stringent in the wrong direction.

I understand that I can mange the user's token in the back-end through cloud functions, but this is only relevant when the user interacts with a cloud function, and does not accomplish what I need.

Is there any way for the state of an auth session to automatically time out in the front end after a period of time?

Sushanth Bobby

unread,
Dec 31, 2018, 12:13:13 AM12/31/18
to fireba...@googlegroups.com
Why not use javascrips setTimeouts to desired value and then call firebase auth signout()

Just an idea. 

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/34e42c3e-006d-475a-8bc8-f2996f755680%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Bassam

unread,
Jan 1, 2019, 4:20:47 PM1/1/19
to Firebase Google Group
Hey Evan, there is no built in way to do that with our API.
A more secure way to do it is to enforce it from the security rules side. You can check the auth_time field (time user signed in or signed up) in the ID token and enforce that the user was signed in within the expected period of time when accessing any restricted resource. On the client side, you would catch that error and either sign out the user or force them to reauthenticate.

Best regards,
Bassam
Reply all
Reply to author
Forward
0 new messages