Session timeout

I set the the custom configuration as following to force session timeout in case of the user did not close the browser and has no action on the browser: EnableKeepAlive =false SessionTimeout=10000 (10 seconds for testing) but after 10 seconds the user session is still active
3 answers

I've just tested this in a simple test project and using just those two settings, my sessions are removed just fine. It's not exactly 10 seconds, but usually 12-15. This is caused by the internal Mendix event that cleans up sessions not lining up exactly with the session timeout.

  • Are your sessions removed eventually? After how much time?
  • Are you using any other custom settings or command-line options?
  • Are you using any widgets or other client-side components that regularly send requests to the server, without user interaction?
  • Do the settings work for you when you try them in an empty project?

Wild guess: could it be that the SSO is responsible? Normally when a user is logged out of the system you are returning to the login page. But with a SSO functionality you immediately get redirected to the authentication server and thus logs you in again.




Hi Mohammad

The whole point of SSO is that it authenticates you seamlessly using your Windows account, so I am interested to hear how you expect session timeouts to work in this situation. Say the system logs you out after 5 mins - surely the next keep-alive will trigger SSO to reconnect you automatically? I don't see how you can expect SSO to work in some situations, but not others.

If you really need to disconnect users from your application, I think you need to create your own mechanism - such as setting a date-time field linked to the account entity, and updating it to CurrentDateTime each time the user clicks a button (they all need to be microflow buttons) or opens a record, or uses a menu. Then have a scheduled event that searches for accounts where the last activity is more than 10 mins, and trigger a URLRedirect to a different web page away from your application. The session can then be removed in the normal manner.