Adobe Experience Manager Sites & More

B_Sravan · 5/29/25

I’ve configured the Apache jackrabbit oak TokenConfiguration in AEM 6.5 to set token expiry, and it works as expected.

However, it doesn’t consider user inactivity — the session expires only after the configured time, regardless of whether the user is active or idle.

I’m thinking of adding a client-side JavaScript to detect inactivity and force logout, ideally by loading it globally in the author environment.

Is there any official or supported clientlib category that loads globally at the instance level (i.e., across all authoring UIs like Sites, Assets, etc.)?

Thanks in advance!

-Sravan

B_Sravan · 6/4/25

@giuseppebag and @AmitVishwakarma

Thank you for your replies. I tried those already, somehow the TokenConfiguration "Refresh Token" didn't work at the first instance.
Up on rebuilding and restarting the instance, I see no issue now - it is working as expected.

Solution : Enable the "Refresh Token" and restart the instance (not necessarily but in case if you don't see immediate effect).
Thank you,

- @B_Sravan

View solution in original post

giuseppebag · 5/29/25

hi @B_Sravan, OOTB you can leverage the Apache jackrabbit oak TokenConfiguration and it has Token Refresh option as shown below:

You can find more details in this interesting article.

Alternatively, you could implement a custom client library, even if it feels a bit like overengineering something already available.

Create clientlib with cq.shared category. For broader coverage (including non-Sites consoles like Assets or Users), add these categories: cq.authoring.page, cq.authoring.console
Add the inactivity detection JavaScript File, for example /apps/<project>/clientlibs/authoring-inactivity/js/inactivity.js

(function($) {
    "use strict";

    var idleTimeout = 1800 * 1000; // 30 minutes
    var idleTimer;

    function resetTimer() {
        clearTimeout(idleTimer);
        idleTimer = setTimeout(logout, idleTimeout);
    }

    function logout() {
        $.ajax({
            url: Granite.HTTP.externalize("/system/sling/logout?resource=/"),
            method: "GET",
            success: function() {
                window.location.href = "/";
            }
        });
    }

    $(document).on("mousemove keydown scroll", resetTimer);
    resetTimer();

})(window.jQuery);

AmitVishwakarma · 5/29/25

Hi @B_Sravan ,

Try below solution:

1. Create a clientlib with the right categories

2. Write a secure inactivity tracking script

3. Force logout via /system/sling/logout

4. Ensure it works across all author consoles

1. Create a Clientlib: /apps/<your-project>/clientlibs/inactivity

Structure:

/apps/<your-project>/clientlibs/inactivity
  ├── js/
  │   └── inactivity.js
  ├── css.txt      (optional)
  ├── js.txt
  └── .content.xml

2. js.txt

js/inactivity.js

3. .content.xml

<?xml version="1.0" encoding="UTF-8"?>
<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0"
    jcr:primaryType="cq:ClientLibraryFolder"
    categories="[cq.authoring.page, cq.authoring.console]"
    dependencies="[granite.jquery]"
    embed=""/>

cq.authoring.page – Loads in authoring pages (Sites)

cq.authoring.console – Loads in all AEM consoles like Assets, Users, Tools

granite.jquery – Ensures jQuery is available

4. inactivity.js

(function ($, window, document) {
    "use strict";

    // Configuration
    var idleLimit = 30 * 60 * 1000; // 30 minutes
    var logoutUrl = Granite.HTTP.externalize("/system/sling/logout?resource=/");
    var idleTimer = null;

    function resetTimer() {
        if (idleTimer) clearTimeout(idleTimer);
        idleTimer = setTimeout(triggerLogout, idleLimit);
    }

    function triggerLogout() {
        console.info("User inactive for 30 minutes. Logging out.");
        $.ajax({
            type: "GET",
            url: logoutUrl,
            success: function () {
                window.location.href = "/";
            },
            error: function () {
                console.error("Failed to logout due to AJAX error.");
            }
        });
    }

    function startIdleDetection() {
        // Listen to events
        $(document).on("mousemove keydown scroll click", resetTimer);
        resetTimer();
    }

    $(document).ready(function () {
        startIdleDetection();
    });

})(jQuery, window, document);

5. Deploy & Test

Build the clientlib using AEM Developer Console or CRXDE Lite

Check browser network tab: Confirm inactivity.js is loaded on:

/sites.html

/assets.html

/useradmin

Wait 30 mins or reduce idleLimit to test quickly

Ensure auto-logout and redirect work

Regards,
Amit

B_Sravan · 6/4/25

@giuseppebag and @AmitVishwakarma

Thank you for your replies. I tried those already, somehow the TokenConfiguration "Refresh Token" didn't work at the first instance.
Up on rebuilding and restarting the instance, I see no issue now - it is working as expected.

Solution : Enable the "Refresh Token" and restart the instance (not necessarily but in case if you don't see immediate effect).
Thank you,

- @B_Sravan

Adobe Experience Manager Sites & More

Logout AEM Author users based on inactivity

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe