Open Closed

Not really logged out after closing tab/browser #4785


User avatar
0
paul.harriman created
  • ABP Framework version: v7.1
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes / no
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Create new angular website using suite/cli.

  • Start up website and login.
  • Close the tab/browser
  • Come back 1+ hours later and start up website
  • You will be presented with the login screen,
  • Click login and get into the site without entering credentials which is a severe security risk

Is there a way without custom code of getting logged out after closing the browser tab/browser? We do use an npm package called angular idle that looks for inactivity on the website and then will log you out. But if just you close the tab/browser you are still logged in and can come back the future without credentials.

We have tried using window.unload and removing cookies in localStorage. This appears to work, but there are some situations in which you will be prevented from logging in. using the auth service to logout does not work. probably becuae it is an async process and does not make the tab/browser wait before closing We have tried adding middleware to set lifetimes, that doesn't work

    PreConfigure<OpenIddictServerBuilder>(builder =>
    {
        builder.SetAuthorizationCodeLifetime(TimeSpan.FromMinutes(1));
        builder.SetAccessTokenLifetime(TimeSpan.FromMinutes(1));
        builder.SetIdentityTokenLifetime(TimeSpan.FromMinutes(1));
        builder.SetRefreshTokenLifetime(TimeSpan.FromDays(1));
    });

We could write an angular interceptor and use o-auth service to invalidate the token. This will not work for mvc sites

Ultimately, we want something on the backend which will force a logout if the user has been idle for a period of time. We can see there is are cookies in localStorage: id_token_expires_at expiresAt with expiration times

We understand that the refresh token plays a role in this, but that we want a hard lifetime when it would not play a role.


7 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Please remove the offline_access from oAuthConfig to disable the refresh token.

    const oAuthConfig = {
      responseType: 'code',
      scope: 'offline_access MyProjectName'
    };
    

    We could write an angular interceptor and use o-auth service to invalidate the token. This will not work for mvc sites

    Did you select the Remember me when you login MVC website?

    The default authentication cookie of MVC is session. It will be invalid after closing/quitting the browser.

  • User Avatar
    0
    scott7106 created

    We removed offline_access which helped resolve the original issue. If you close the browser and walk away for more than an hour, you now must login again to access the site.

    However, it creates another problem with the angular application. Once the IdentityToken expires, but before the AccessToken expires, the application automatically logs the user out and back in. If they are in the middle of a editing form when this happens, their data is lost as they are returned to the home page.

    You have already user id in our test system at https://synergyz-test.otised.net if you want to see what happens for yourself.

    We added the following code to the PreConfigureServices method in the HostModule so that we could iterate faster on the testing. The login succeeds, after 4 mins, the user is automatically logged out and back in without being prompted for a user / password.

    PreConfigure<OpenIddictServerBuilder>(builder =>
    {
        builder.SetAccessTokenLifetime(TimeSpan.FromMinutes(5));
        builder.SetIdentityTokenLifetime(TimeSpan.FromMinutes(2));
    });
    
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Thanks scott7106

  • User Avatar
    0
    paul.harriman created

    maliming,

    Part of the reason we adjusted the lifetimes above was to make it easier to test. I have some of the code changes locally as I'm developing. I have the scope removed, but not the lifetime adjustments.

    It appears that when we just remove the offline_access, we will get logged out after ~1 hour. Meaning even if you're in the middle of something, you get brought back to the screen where you need to enter your credentials. So the time does not "slide". Is there a way to "slide" (meaning while the user is active, they stay logged in, but when they go idle for 1 hour, they get logged out)?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Angular does not support slide.

    If the access token expires, it will use the refresh token(offline_access) to get a new one.

    But I think you can customize this logic in angular, and I will ask angular colleagues.

  • User Avatar
    0
    paul.harriman created

    hi,

    I just want to make sure I understand what you said above. Are you saying that if our solution was an MVC/Blazor solution, this wouldn't be a problem? The slide would exist?

    IE, because we are using an angular and .netcore solution, we do not get the slide.

  • User Avatar
    0
    mahmut.gundogdu created

    You can listen the Browser's event https://developer.mozilla.org/en-US/docs/Web/API/Window/beforeunload_event and execute authService.logout() Also, another option is that you can use SessionStorage as auth storage instead of LocalStorage. (it provide OAuthStorage with a SessionStorage-compatible custom class)

        { provide: OAuthStorage, useClass: AbpLocalStorageService },
    

    https://github.com/abpframework/abp/blob/3e66d25f6f3798b9a9362311ed2c93aa0e98e2c2/npm/ng-packs/packages/oauth/src/lib/oauth.module.ts#L62

    https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage

    Note: you should resource owner flow otherwise backend still store the refresh-token

    https://docs.abp.io/en/abp/latest/UI/Angular/Authorization#resource-owner-password-flow

Made with ❤️ on ABP v8.2.0-preview Updated on March 25, 2024, 15:11