1

I am writing knockout application with Wep Api as a backend. I used this tutorial to implement token bearer authorization, so I have access tokens, however login functionality is provided externally. What I need to implement is logging out after certain time, e.g. 1 hour, and if all time active - after longer time - 10 hours. So I have my settings like below:

   OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
        {
            AllowInsecureHttp = true,
            TokenEndpointPath = new PathString("/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromHours(10),     
            Provider = container.Resolve<IOAuthAuthorizationServerProvider>()
        };

And it works - access is being revoked after 10 hours, but how to achieve logging out after being inactive for 1 hour? I am wondering about certain usage of refresh tokens or implementing sessions into the app.

Pawel
  • 162
  • 2
  • 12

1 Answers1

0

How to achieve logging out after being inactive for 1 hour?

You can try something like this.

<script type="text/javascript">
var timeout = 3600000; // Timeout in 60 mins.

var timeoutTimer;

// Start timers.
function StartTimers() {    
    timeoutTimer = setTimeout("Timeout()", timeout);
}

// Reset timers.
function ResetTimers() {
    clearTimeout(timeoutTimer);
    StartTimers();
}

function Timeout() {
    // Your logout logic.
}

</script>

<body onload="StartTimers();" onmousemove="ResetTimers();">

</body>

It basically does is on page load it starts the timer and onmousemove ite resets the timer and on no activity it fires the Timeout where you can put your logout logic.

Vivek Singh
  • 1,113
  • 10
  • 20
  • sure, I have implemented sth like this, but with session usage and information about activity. The problem is that access_token still remains valid on the server side – Pawel Feb 23 '17 at 14:07
  • It will remain valid until its expiration time is over. Keep the token expiration of short duration and clear the access_token on logout...everything you define at the creation of a token is stored in access_token itself and nothing is stored on the server. see this for more reference https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/individual-accounts-in-web-api and this http://stackoverflow.com/questions/7030694/why-do-access-tokens-expire/7035926#7035926 – Vivek Singh Feb 23 '17 at 18:30
  • @VivekSingh but how can i clear token on server side when their are multiple tokens against single userid , means in case of user using web app and mobile app having same backend api. – Dragon Mar 23 '17 at 20:23