Auto logging out ignores user activity


#1

Hello,

we have a free version of MM v4.1.0 in our company and we like it a lot. The only thing that’s bugging us is the auto log out logic which seems to ignore user activity. Usually, if a user performs some active tasks while logged in, a system keeps him/her logged in until he/she does not log out explicitly or a predetermined period of inactivity has elapsed. In MM, we thought this period is set up in the system console under security->sessions. However, this period only takes into consideration when the user logged in and not what he/she was doing.

Summary

Even if a user uses the chat on a daily basis, they are still logged out after Session length days (set to e.g. 10).

Steps to reproduce

  • Set up 10 days under security->sessions->Session length AD/LDAP and email.
  • Log in on, let’s say, the 10th of January
  • Work every day
  • On the 20th you will be logged out even in the middle of writing your message

Expected behavior

MM should consider user activity when expiring the session. Is there configuration setup which allows me to expire a user’s session if he/she is inactive for a long period of time but keeps the session valid if the user is active. I don’t think setting session length to some insane high number is the correct approach. Quite the contrary, I would like to set the limit up pretty tightly, like 1-2 days of inactivity, but I obviously don’t want to punish everyone who is actively using MM at the moment.

A related problem is that if you are logged out, the desktop application does not change the systray icon or let’s you know in any way that you have been logged out without actually checking the app window. MM desktop app should let you know visually that you have been auto logged out (also, at least the desktop app should (optionally) remember your credentials and log you back in without interaction).

Observed behavior

Described above.


#2

Hi @dfabian - I think the current behaviour is the typical behaviour for a session length setting.

However we do have another ticket to add support for logging people out after a period of inactivity, does this ticket look like it covers what you’re asking for?

https://mattermost.atlassian.net/browse/PLT-7633


#3

Hello,

rather not. I would really want to set up MM to auto log out users only after cca 3 days of inactivity (no messages sent, no new messages read). Otherwise, people should stay logged in. For starters, it would suffice to just disable auto logging out (i.e. setting up session length to infinity) and prevent MM from logging out users in the middle of their work. Can I disable session expiration in the system console?

The ticket (which btw. only targets E20 installations) only deals with short periods of inactivity (minutes). I don’t think our users would appreciate such a strict policy. We have a low volume chat, it is common that there is no message produced for an hour or so. Also, I don’t know how javascript timer handles the fact that people tend to hibernate their desktops during weekends.


#4

Hi @dfabian - the ticket refers to minutes because that’s the granularity some of our other deployments require, but you would be able to set it to a large number of minutes if needed.

For session length, I don’t think it can be completely disabled right now, but if you don’t want people to get logged out you can set it to a large number (eg 999).

If you would like to request adding an disabling session length altogether, you can submit ideas here for others to upvote: https://mattermost.uservoice.com/forums/306457-general

Hope that helps as a starting point!