This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

App Session Timeout

Posted on 02-27-2020 10:47 AM
MultiTech
Gold 4
Gold 4

I find myself needing the ability to restrict how long any particular login will be valid - a way to automatically log users out of the app after X amount of time has passed.

Main reason:

I can’t build a HIPPA compliant system using AppSheet if I can log into the system once and forever be logged in; if I walk away from the computer for the weekend (and don’t log out), I need the app to lock itself down.

Sure… I could build in some sort of ticketing system into my app, put conditional statements on all the views, etc. But that wouldn’t really “secure” the app, merely providing the illusion of security, as the login is still valid and access is still granted.

What I really need is a way to force an open app back to the login screen, logging the person out automatically, after they’ve been inactive for X amount of time.

I’ve built an app that uses Cognito for it’s authentication provider; I’ve looked through the documentation there, briefly there’s a lot, but haven’t found anything that would look like it would solve this problem.

I did find this:

2X_e_e2e02fdec5ffb9a39749f4249e8a22773b6cc1b9.png

So I’m able to restrict to 24 hours; I’m wondering about a tighter restriction than that.

As always, thanks for your consideration!

Status Open
16 2 749
Idea Labels
2 Comments
Status changed to: Open
Pratyusha
Community Manager
Community Manager
Reply posted on 03-06-2022 10:15 PM
 
Ed_Cottrell
Bronze 5
Bronze 5
Reply posted on 04-22-2022 06:34 AM

I really (like really) need to be able to force log out for users also.

In fact I really would like to be able to control this on a per user basis.

@MultiTech I too am using Cognito for a multi-tenant app and believe the refresh token expiry setting on Cognito is not used or even recognised by AppSheet.

I have a feature which removes a UserEmail from the Cognito pool (AppSheet webhook sent to an intermediary web app that hits up the Cognito API), and also is used to reinstate an email.  Also I use this to change a users’ authorised login email - a way of controlling the app user whitelist if you will from with the app.

HOWEVER, Even if an authorised user has their email address removed from the Cognito pool after they’ve successfully logged in, they can still continue to use the app for as long as they like, for as long as they don’t log out!

Hence, I really, really, need AppSheet to at minimum check the Cognito pool each time the app loads!!

How do we escalate this feature request - it really is fundamental and critical in a multi-tenant environment, or indeed any environment with large numbers of app users.

@Aleksi @Steve @pravse @Nick and anyone who can drive this forward? 🙏 

Ideas by Status