Level 8

Solved

How do I track user site website interaction for implementing an idle timeout feature?

Forum|Forum|3 years ago
August 24, 2022
3 replies
1418 views

We want to implement some sort of idle timeout on our website.

I think there are 2 parts to the solution

1. a server-side code that "resets" a cookie time whenever the user visits a page (I'm thinking something like a sling filter?)

2. a client-side code (maybe via javascript) that resets the same cookie when the user interacts on the page (example: clicking on a form field)

Is there a better way to do this?

Thanks in advance.

edit: The reason why we want to implement idle timeout is because it's a requirement for any financial institution in my country.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by joerghoh

I understand that. So it's a security feature, is it?

In that case you should come up with a holistic plan of security, and integrate this feature into it. And any client-side security measure must be augmented with a server-side component, because you cannot trust the client.

T

Tushar_Gupta

Adobe Employee

IMO, you should opt for client-side code to find out the idle time out, once idle time out reaches you can easily log out the user. From client-side code you will have several ways to track the idle time - cookies, browser cache etc.

You should not go for the option 1 which is server side, for every click on the page/form/link you need to send the backend request which will put your backend servers under stress.

jayv25585659Author

Level 8

I edited my original post. Is your suggestion still the same?

Sachin_Arora_

Community Advisor

If you are using AEM token authentication or SAML, you can update this configuration : /system/console/configMgr/org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl and set desired value for Token Expiration field.
You don't need to write code to handle timeout in this case.

Link : https://experienceleague.adobe.com/docs/experience-cloud-kcs/kbarticles/KA-16464.html?lang=fr-FR

Else you can write a client-side code to reset cookie(on every interaction on screen)with expiration time.

jayv25585659Author

Level 8

I've seen that but it seems the consulting firm who put the "protected" pages in place decided to bypass the built-in SAML functionality and implemented their own.

joerghoh

Adobe Employee

As @tushar_gupta already mentioned: Implement it client-side. Otherwise every request needs to hit always AEM and it makes it very hard to use caching.

Unfortunately you don't mention the reason why you need to implement it. If you implement it for security reasons you probably can't get around a full server-side solution, because you cannot control the client. This goes into an architectural discussion then.

jayv25585659Author

Level 8

The reason why we want to implement idle timeout is because it's a requirement for any financial institution in my country.

joerghoh

Accepted solution

Adobe Employee

I understand that. So it's a security feature, is it?

In that case you should come up with a holistic plan of security, and integrate this feature into it. And any client-side security measure must be augmented with a server-side component, because you cannot trust the client.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded