Force User LogOut

syndeo

Does the logout actually work? If you hit the back button on your browser after a logout (and I suspect a timeout) and click refresh, then it logs you back in no problem with a new session ID. Does anybody have a solution here to force a genuine logout?

I was thinking perhaps you could apply a flag during a logout notification and check that flag again on login (refresh browser), but that would put you in an infinite loop I suspect because AIM won’t know if you’re actually logging in or refreshing the browser.

any thoughts here?

syndeo

Possible solution. See my post at Browser refresh

kklosson

I am trying to logout the current user. Everything I’ve tried results in a wait screen.

FIND SysteUser WHERE SystemUser.ID=LoggedINSystemUser.ID
LOGOUT SystemUser

What am I missing?

customaware

Here’s how I do it…..

My LogOut Process
(
Note: This is used when a Login detects a previous Login that was not Logged Out ie.

IF    NMB_OF_SESSIONS(LoggedInSystemUser)>1 THEN
DISPLAY QUESTION SystemSettings.MessageOrange+'Someone is already using this account or you did not log out the last time correctly.  Do you want to close the open session?'+SystemSettings.MessageClose)
)

LOGOUT2
DISPLAY PERSPECTIVE LoggingOut

In the VP LoggingOut

Everything disabled except Main with a single Panel Content being Command.
The Command is…

Logout with URL being <<SystemSettings.LogoutURL>>

Which is the initial Application URL

kklosson

That is somewhat like what I have. The problem is that calling the DISPLAY PERSPECTIVE from a process like this leaves the process in a perpetual waiting state. Let me know if you are able call DISPLAY PERSPECTIVE in a process without the process remaining in a waiting state.

kklosson

customaware

In my experience, the LOGOUT function hangs the window in a wait state. The LOGOUT action description requires an explicit user to be logged out. I have used the following:

FIND System User WHERE SystemUser.ID = LoggedInSystemUser.ID
LOGOUT SystemUser

This hangs the window in my experiments.

syndeo

kklosson Yes, getting the same result

I have discovered that if you have other commands in the same process rule, you will hang. for example I had the following in the same process rule:

FIND SynstemUser WHERE Systemuser = LoggedInSystemUser
DISPLAY MESSAGE 'Access Denied'
Logout SystemUser
DISPLAY URL 'http(s)://server/AwareIM/logon.jsp?domain=myDomain'`

This seemed to hang indefinitely.

I removed the DISPLAY MESSAGE command and it worked as expected.

**** EDIT ****

I think it has to do with anything requiring user input - the logout process doesn’t fire. So it has nothing to do with what I said above about being in the same process rule.

I’ve tested again and changed my message display command to use ASNYCH. Whilst it does not hang anymore, it does not perform the logout function. So am just left with an employ perspective.

Anybody else have a better explanation?

syndeo

As a few have previously discussed. logout out does not prevent reauthentication after a click of the back button and then a refresh.

In another post Browser refresh
I explored determining whether the back button and refresh are clicked and then getting the browser to perform some action to redirect the user to the login page. This seemed a bit clunky and not working on all browsers. So perhaps a more simple solution is to execute JavaScript in an AIM process you use to logout.
instead of

FIND SynstemUser WHERE SystemUser = LoggedInSystemUser
Logout SystemUser
DISPLAY URL 'http(s)://server/AwareIM/logon.jsp?domain=myDomain'

you simply do this

FIND SynstemUser WHERE SystemUser = LoggedInSystemUser
Logout SystemUser
EXEC_SCRIPT 'window.location.replace(`http(s)://server/AwareIM/logon.jsp?domain=myDomain`);'

//putting this here again as the script function removes the quotes need. make sure you use the correct quotes here “ ` ”
EXEC_SCRIPT ’window.location.replace(‘http(s)://server/AwareIM/logon.jsp?domain=myDomain’);'

this forces the browser to remove startup.html from the browser’s history so when you click back after a logout it simply takes you back to the original logon screen.

I have however found that with some browsers when you click back the user’s credentials are populated. so you will need some script in each logon page to clear the credentials when the user hits login.

    window.addEventListener('beforeunload', function(event) {
       document.getElementById('username').value="";
       document.getElementById('password').value="";
    });

Would be great if others could test and let me know if it works

kklosson

Have you checked to see if the process in which this occurs finishes and does not leave the process in the Active Processes display?

syndeo

Yes it clears for me. Does this not clear for you?

This does not prevent re authentication after a timeout though because a process is not actually fired when the system times out. So I am investigate a way to do this without the need to manipulate the browser’s behaviour through JavaScript.

I have a solution where it works on a single browser only. Basically:

If the user initiates a the logout process (as described in the above post), then a flag is created which will allow the user to login as normal.

The user logins and a process at login clears the flag.

if the system times out. and the user hits back then refreshes the browser, then it will authenticate the user, but a process at login will check if the flag is present and if it is not, then the logout process is fired which applies the flag.

This may have some user experience issues if the user refreshes the browser whilst logged in. It will take them to the login page again and they will have to login. Working through this, but see this as a minor issue.

if you introduce a second browser (or another device) for that same user. This is where there is a problem

If the user logs in on a second browser, it won’t log them in because the flag is not present - I am ok with this. The system checks if there are more than one session and if there are more, then the logout process is fired and the flag is applied.

The first browser times out (this is ok), however, because the flag is present, you can click back on the first browser and refresh and then the user will re authenticate with no issues.

syndeo

Does anyone know if it is possible to fire a process when a system times out (or just before)

I realise you can probably do this through scheduling, but was trying to avoid the system continually checking.

Another way, but not perfect is to periodically clear the flag of all users, but this would probably require scheduling as well.

BobK

syndeo
“Does anyone know if it is possible to fire a process when a system times out (or just before)”

Yes it is possible. (I think).

Add “LogoutNotification” to the Notifications.
One of the default attributes is “IsTimeout”, which you can check to see if the user logged out or timed out.
You can add rules to be executed when the notification is received or created.

I do not know what the difference is between received and created and I put all of my rules in the received tab

Actually, I only use the data to create log records, but I assume you can run processes too.

syndeo

BobK Thanks. I was playing around with the LogoutNotification, but I was finding that the IsTimeout attribute wasn’t working as I expected (and as you have described). It seemed to set to ‘Yes’ at random.

I also noticed the following:

When the logout process was initiated it would crate a record - no problems here

eg
LogoutLog.LogoutLoginName = LogoutNotification.LoginName LogoutLog.LogoutIsTimeout = LogoutNotification.IsTimeout

if a time out happened, no record was created. After the user logged back in and then initiated another logout process, it created two records, neither of which had IsTimeout set to ‘Yes’.

syndeo

Ok after further testing, it doesn’t appear to be random when it generates the timeout log, however, i am finding that it can take several minutes to record the entry. this is not consistent though with the duration of timing from timeout to record of entry.

has anyone experienced this behaviour?

**** EDIT ****

Ok it appears that they system is checking approximately ever 5 minutes, regardless of what the timeout session is. Is there any way of changing this?