talawa-admin icon indicating copy to clipboard operation
talawa-admin copied to clipboard

Published 20 hours ago verified publisher icon PalisadoesFoundation

Enhancements for Session Management in both user and admin portal

Open aashimawadhwa opened this issue 1 year ago • 15 comments

Describe the bug

The current system lacks admin-configurable session timeouts, leading to unexpected logouts. Additionally, users are not receiving warnings before timeouts, and the messaging upon session logout does not redirect them to the login screen seamlessly.

To Reproduce Steps to reproduce the behavior:

  1. Login to talawa-admin portal.
  2. Leave the user logged in until the session times out.
  3. The user gets logged out without receiving any warning on session timeout.

Expected behavior

  • Admin should be able to configure the session timeouts in settings
  • the user should receive a warning before the session timeout and should get redirected to login screen automatically.

Actual behavior Admin does not has any feature to configure the session timeouts, nor there is any warning displayed before a session timeout.

Screenshots NA

Additional details NA

Potential internship candidates Please read this if you are planning to apply for a Palisadoes Foundation internship https://github.com/PalisadoesFoundation/talawa/issues/359

aashimawadhwa avatar Dec 27 '23 19:12 aashimawadhwa

@palisadoes @noman2002 May I be assigned to address this issue?

chandel-aman avatar Dec 27 '23 19:12 chandel-aman

@aashimawadhwa Regarding the implementation of admin-configurable session timeouts, does this imply that each organization will be able to set its own session timeout values?

chandel-aman avatar Dec 31 '23 07:12 chandel-aman

@aashimawadhwa Also, currently, our system logs out users only after a specified period of inactivity. For active users, we manage session timeouts by renewing access tokens through refresh tokens. However, if a user is inactive, implying they are not actively on the screen, is it necessary to display a warning when the session expires? Wouldn't this warning be ineffective if the user is not actively engaged on the screen?

chandel-aman avatar Dec 31 '23 07:12 chandel-aman

@palisadoes @aashimawadhwa

I've got a couple more queries about configurable timeouts:

  1. When we say that the admins can configure the session timeout, do we mean for each organization?

    • If yes, then what should be the timeout duration for users belonging to multiple organization?
    • Should it be configurable by both admins and super-admins?
    • And what should be the timeout duration for admins and super-admins?

  2. What should be the acceptable time range for admins to configure timeout duration?

    Based on my web research, a time range between 15 to 60 minutes would be reasonable, considering both security and performance concerns. What are your views on this?

chandel-aman avatar Dec 31 '23 11:12 chandel-aman

@chandel-aman

  • If the user belongs to multiple organizations then take the highest one.
  • yes it will be configurable by both admin and super-admin
  • 30 mins by default for everyone.
  • The range can be between 15 to 60 mins.

noman2002 avatar Dec 31 '23 16:12 noman2002

Thanks for the info, @noman2002!

chandel-aman avatar Dec 31 '23 16:12 chandel-aman

This would be much better served at the Community level with a single value for all organizations. Therefore it would be managed by the SuperAdmin using this profile page for the configuration

  • https://github.com/PalisadoesFoundation/talawa-admin/issues/1334#issuecomment-1879522861

Please make the appropriate changes to make this a single universal parameter

palisadoes avatar Jan 06 '24 14:01 palisadoes

This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.

github-actions[bot] avatar Jan 17 '24 00:01 github-actions[bot]

Unassigning due to inactivity

palisadoes avatar Feb 25 '24 05:02 palisadoes

@Cioppolo14 can I work on this?

AmitSharma512 avatar Feb 26 '24 16:02 AmitSharma512

@AmitSharma512

Our policy is to assign no more than one issue to each contributor across all repositories. This way everyone gets a chance to participate in the projects. We sometimes give exceptions for more urgent cases and sometimes we lose track, but the policy stands. You have reached your limit, please wait until your existing issues are closed before requesting more issues. You could unassign yourself from one of the other issues too.

Olatade avatar Feb 26 '24 17:02 Olatade

i would like to work on this issue.

DecodeAndCode avatar Feb 29 '24 19:02 DecodeAndCode

This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.

github-actions[bot] avatar Mar 12 '24 00:03 github-actions[bot]

Unassigning due to inactivity

plasma018 avatar Apr 14 '24 21:04 plasma018

This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.

github-actions[bot] avatar Apr 26 '24 00:04 github-actions[bot]