Hi, I am wondering if DF supports invalidation of a session in the web application after a period of inactivity. It doesn’t seem so because even though you can set a TTL on the JWT token, each click in the web app refreshes the token even if it has expired. So the only way you force logout in the web app is if the entire session is beyond the DF_JWT_REFRESH_TTL, regardless of activity.
My installation: DF Gold version 4.2.1 on a local Bitnami Docker installation.
Thanks in advance for any help.
DF_ALLOW_FOREVER_SESSIONS=false
Changing the above parameter in your .env file will allow you to have sessions that will remain active unless you logout. As you already know, you can set this parameter and use it in conjunction with DF_JWT_REFRESH_TTL.
Hope it helps
@abhishek.pandey thanks for the reply but it does not really answer my question. I want the web session to act like many other web sites where the user gets logged out after a period of inactivity. Do you understand that concept? It means the user is idle and has not clicked anything. From what I can tell, any click in the web admin console refreshes the token, so the user will always stay logged in until DF_JWT_REFRESH_TTL minutes. I did not change DF_ALLOW_FOREVER_SESSIONS which I assume leaves it false, but the documentation does not say what the default is.
I want the period of inactivity to be one hour so I want to set DF_JWT_TTL=60 but it doesn’t matter because it will refresh until DF_JWT_REFRESH_TTL which I have set to 480 or 8 hours.