How to logout user after 5 minutes of innactivity

help
1

Hi, maybe I was not search so deep, but I did not found the information in Meteor Docs, how and where I can set the time to logout user after for example 5 minutes of innactivity.

Q1:
I’m using the “accounts-ui@1.3.1” package. I found the possibility to set “loginExpirationInDays”: 0.05, but It not works correctly, because the login will expire sooner like expected. It seems to be, that loginExpiration time does not extend during working with the app.

Q2:
Also, how can I calculate 5 minutes. Calculate proportion of the day? With this way, it not works.
1 hours is 1/24 = 0.041
30 min is 0.041/2 = 0.020
5 min = (0.041/60)*5 = 0,003417

I set 0.05 and it’s about 10minutes, If I will set lower value than 0.04, it not works.

I’m asking to understand and make me clear, how It works and how can I setup correctly the expiration and how can I solve the problem with noextend expiration time, when I’m using the app.

Thanks for each answer :slight_smile:

Mirror of the question: https://stackoverflow.com/questions/64495622/meteor-framework-how-to-logout-user-after-5-minutes-of-innactivity

2

loginExpirationInDays is not meant for inactivity measurement. It is used to balance between security and usability e.g. user does not have to login daily but must do it once a week

You need to handle inactivity on the UI. There are npm packages out there that sets the timeout from the last activity on the page and then call Meteor.logout when time is over, or reset the timer when activity is observed

2 Likes
3

@rjdavid And can you recommend me one by your BIG experiences please? :grinning: I was searching in Atmosphere, I found one, but it was very old runnig with jQuery 1.x, which is insecure.

Thank you very much.

1 Like
4
2 Likes
5

@rjdavid the client side can be solved, but what about server side?

const activityDetector = createActivityDetector({
    timeToIdle: 20000
});

activityDetector.on('idle', () => {
    if (Meteor.user()) {
        Meteor.logout();
    }
});
1 Like
6

What about the server-side are you looking for?

1 Like
7

If for some reason will be server unavailable, client side does not logout user (with Meteor.logout()) from the server.

8

Sorry, I was combining two different things in my ideas above, connecting and inactivity.

On the server-side, it will require more work. In our case, we are using a current user subscription that once the subscription stops, we can delete the login tokens of the user

1 Like
9

And can you give me an example? It not must be a copy paste src, but something to deeper understand, how to do this.

I can delete the the user token, but I was thinking, that somewhere exists Meteor component for this and if needed, I will call something each minute from cgi task for example to check and delete expired tokens.

But somewhere I must save a timestamp of last user request to server. But I don’t have an idea how to do this.

Thank you very much for your answer :slight_smile:

10

Don’t have my laptop now. But check your mongo db. There is a default collection for login tokens. You can remove according to user id

1 Like
11

@rjdavid… yes, but still I don’t understand, how to check, which user tokens are alive and which user tokens was expired.

Probably I need to store somewhere to user.private the timestamp of theirs last request to the server (or something like that) to check the expiration. Does exists any Meteor server event which is called on each user request to the server?

Or are you using another mechanism to make this?

Thanks a lot @rjdavid

12

We use a publication. Inside a publication, the user id exists if the user is logged in. So we can check everytime the user connects and disconnects

1 Like
13

I think you can easily build your mechanism around this library: https://github.com/Konecty/meteor-user-presence

2 Likes
14

@rjdavid …please, can you share only a short example?

Because, I think, that Meteor.userId will return the id when the user is logged-in and null if logged-out.

But, the user logout depends on account package and on the " loginExpirationInDays" option.

…but the loginExpirationInDays will logout the user for example 10minutes not from his last request to the server but from his login time (I think). Therefore this way will logout user sooner like expected without reflect, if user is currently active or not.

image

Thx a lot.

15

Again, we use publications to track the presence of a user. Then use the onStop() function of the publication as a trigger to check and/or update the presence status of the user.

We do not use loginExpirationInDays for inactivity tracking so I cannot help you on that part

1 Like
16

Sorry, if I understand correctly, somewhere in publish you have this.onStop({…here you will update the timestamp and presence status somewhere in user profile…}); Can you send me the short example of the code?

I was thinking by this way… https://gitlab.com/acqsk/meteor-session-expiration Is it bad way? I don’t know, how to get the hashedToken in accountTokup method to update right token.

17

@rjdavid Please, check the server.js on line 25. Now I’m updating all tokens by userId, but it’s of course wrong. How can I get the current user token and update only those token, which is currently using?

Thank a lot.

18

We actually use a separate collection called Presence which tracks if the user is active, idle, or offline. We do not touch the login tokens unless we all delete them for a single user (if I am correct, there is a function to delete all login tokens for a user). Sorry, far from my laptop

(Also check the posts above about a presence package. The only difference in that is that it keeps the presence data with the user collection)

2 Likes
19

@paulishca Thank youu! This is exactly, what I was searching for. But longer time I was not able to found a solution, therefore I was started to create my own package.