Session Management
4 minutes to readDirectory session settings give app authors the ability to increase security and user experience of directory users. Signing out idle users automatically and enforcing user sign-outs periodically both contribute to maintaining a high standard of online security. Users can also significantly benefit from the persistent login feature, which allows them to keep their session active even after they close the browser. This article provides a more detailed overview of these features, enabling you to enhance session management for robust session security implementation.
For more basic information on user authentication in directories, see this article.
Session settings
You can find the session settings of your directory in the Security tab. The following options are available:
- Inactivity timeout: The duration of user inactivity in the user portal after which a directory session expires. The minimum is one minute, and the maximum is 90 days.
- Absolute timeout: The time after which a directory session expires regardless of a user’s activity in the directory’s user portal. The minimum is five minutes, and the maximum is 365 days.
- Persistent login: This option prevents session expiration when the browser is closed. It does not extend the session length.
This option works only when Caspio is the user’s default sign-in method and is unavailable when using external identity providers.
Here is an example of how session settings can influence the user experience:
- An administrator configures the inactivity timeout to two days and the absolute timeout to 90 days.
- When a user signs in, these session settings are applied to their session.
- If the user remains active within two days, their session duration is extended for another 48 hours. Each two-day interval restarts upon user activity, prolonging the session by 48 hours since the last user activity.
- However, if the user remains inactive for a continuous two-day period, their directory session will be terminated.
- The absolute timeout set at 90 days means that a user is always automatically signed out precisely 90 days after they signed in, regardless of their activity.
If the session settings are adjusted while a user is signed in, the new settings take effect immediately. If the current ongoing user session is already longer than the newly changed setting, the user will be signed out upon the next server request (activity involving loading system data).
Directory session vs. application session
Directory session settings affect sessions initiated within that directory only. External identity providers (IdPs), DataPages, and third-party applications generate their own sessions upon user sign-in. Those sessions remain unaffected by the directory’s session settings. The directory can terminate these sessions only when Single Logout (SLO) is enabled (turned on by default for Caspio applications).
To enhance user experience, the directory automatically extends a user’s session when interacting with the directory’s user portal pages. For example, actions such as viewing security settings or changing a password extend the session within the directory without affecting the application session.
In contrast, user interactions with DataPages or third-party applications typically extend the application session (depending on the application settings), but they do not impact the directory session. Each application operates within its own session, and interactions extend the session of that application only.
Directory and application sessions operate independently unless the Single Logout (SLO) feature is enabled. In certain scenarios, the directory session might expire due to user inactivity. However, the user might not need to sign in again to use the app because the session within the application remains active, even if the directory session expired.
Session termination and user sign-out
A user session can be terminated through a sign-out request, initiated either directly by a user or through Single Logout (SLO) with another entity. Additionally, session expiration due to user inactivity or absolute timeout can also terminate the user session. When a session ends, the user is no longer able to make authorized requests to the server.
If the user attempts such a request after the session ends, they are redirected to a sign-out destination page, which is by default the sign-in page of the directory or application. However, if the user is previewing an application page, they can interact with the page until an unauthorized server call is made.
For example, a user can view a list of products, but when attempting to open the details page of a selected product after the session has ended, they are directed to the directory’s sign-in page.