Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

How do I track user site website interaction for implementing an idle timeout feature?

Avatar

Level 8

We want to implement some sort of idle timeout on our website.

I think there are 2 parts to the solution

1. a server-side code that "resets" a cookie time whenever the user visits a page (I'm thinking something like a sling filter?)

2. a client-side code (maybe via javascript) that resets the same cookie when the user interacts on the page (example: clicking on a form field)

 

Is there a better way to do this?

 

Thanks in advance.

 

edit: The reason why we want to implement idle timeout is because it's a requirement for any financial institution in my country.

 

 

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

I understand that. So it's a security feature, is it?

 

In that case you should come up with a holistic plan of security, and integrate this feature into it. And any client-side security measure must be augmented with a server-side component, because you cannot trust the client.

View solution in original post

7 Replies

Avatar

Level 7

IMO, you should opt for client-side code to find out the idle time out, once idle time out reaches you can easily log out the user. From client-side code you will have several ways to track the idle time - cookies, browser cache etc.

 

You should not go for the option 1 which is server side, for every click on the page/form/link you need to send the backend request which will put your backend servers under stress.

 

Avatar

Level 8

I edited my original post. Is your suggestion still the same?

Avatar

Community Advisor

If you are using AEM token authentication or SAML, you can update this configuration : /system/console/configMgr/org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl and set desired value for Token Expiration field.
You don't need to write code to handle timeout in this case.

Linkhttps://experienceleague.adobe.com/docs/experience-cloud-kcs/kbarticles/KA-16464.html?lang=fr-FR

 

Else you can write a client-side code to reset cookie(on every interaction on screen)with expiration time. 

 

Avatar

Level 8

I've seen that but it seems the consulting firm who put the "protected" pages in place decided to bypass the built-in SAML functionality and implemented their own.

Avatar

Employee Advisor

As @tusharbias  already mentioned: Implement it client-side. Otherwise every request needs to hit always AEM and it makes it very hard to use caching.

 

Unfortunately you don't mention the reason why you need to implement it. If you implement it for security reasons you probably can't get around a full server-side solution, because you cannot control the client. This goes into an architectural discussion then.

Avatar

Level 8

The reason why we want to implement idle timeout is because it's a requirement for any financial institution in my country.

Avatar

Correct answer by
Employee Advisor

I understand that. So it's a security feature, is it?

 

In that case you should come up with a holistic plan of security, and integrate this feature into it. And any client-side security measure must be augmented with a server-side component, because you cannot trust the client.