Enhancements for Session Management in both user and admin portal

PalisadoesFoundation / talawa-admin

Admin portal for the Talawa Mobile App. Click on the link below to see our documentation

https://docs.talawa.io/

GNU General Public License v3.0

156 stars 644 forks source link

Enhancements for Session Management in both user and admin portal #1305

Closed aashimawadhwa closed 2 weeks ago

aashimawadhwa commented 11 months ago

Describe the bug

The current system lacks admin-configurable session timeouts, leading to unexpected logouts. Additionally, users are not receiving warnings before timeouts, and the messaging upon session logout does not redirect them to the login screen seamlessly.

To Reproduce Steps to reproduce the behavior:

Login to talawa-admin portal.
Leave the user logged in until the session times out.
The user gets logged out without receiving any warning on session timeout.

Expected behavior

Admin should be able to configure the session timeouts in settings
the user should receive a warning before the session timeout and should get redirected to login screen automatically.

Actual behavior Admin does not has any feature to configure the session timeouts, nor there is any warning displayed before a session timeout.

Screenshots NA

Additional details NA

Potential internship candidates Please read this if you are planning to apply for a Palisadoes Foundation internship https://github.com/PalisadoesFoundation/talawa/issues/359

chandel-aman commented 11 months ago

@palisadoes @noman2002 May I be assigned to address this issue?

chandel-aman commented 11 months ago

@aashimawadhwa Regarding the implementation of admin-configurable session timeouts, does this imply that each organization will be able to set its own session timeout values?

chandel-aman commented 11 months ago

@aashimawadhwa Also, currently, our system logs out users only after a specified period of inactivity. For active users, we manage session timeouts by renewing access tokens through refresh tokens. However, if a user is inactive, implying they are not actively on the screen, is it necessary to display a warning when the session expires? Wouldn't this warning be ineffective if the user is not actively engaged on the screen?

chandel-aman commented 11 months ago

@palisadoes @aashimawadhwa

I've got a couple more queries about configurable timeouts:

When we say that the admins can configure the session timeout, do we mean for each organization?
- If yes, then what should be the timeout duration for users belonging to multiple organization?
- Should it be configurable by both admins and super-admins?
- And what should be the timeout duration for admins and super-admins?
What should be the acceptable time range for admins to configure timeout duration?

Based on my web research, a time range between 15 to 60 minutes would be reasonable, considering both security and performance concerns. What are your views on this?

noman2002 commented 11 months ago

@chandel-aman

If the user belongs to multiple organizations then take the highest one.
yes it will be configurable by both admin and super-admin
30 mins by default for everyone.
The range can be between 15 to 60 mins.

chandel-aman commented 11 months ago

Thanks for the info, @noman2002!

palisadoes commented 11 months ago

This would be much better served at the Community level with a single value for all organizations. Therefore it would be managed by the SuperAdmin using this profile page for the configuration

https://github.com/PalisadoesFoundation/talawa-admin/issues/1334#issuecomment-1879522861

Please make the appropriate changes to make this a single universal parameter

github-actions[bot] commented 10 months ago

This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.

palisadoes commented 9 months ago

Unassigning due to inactivity

AmitSharma512 commented 9 months ago

@Cioppolo14 can I work on this?

Olatade commented 9 months ago

@AmitSharma512

Our policy is to assign no more than one issue to each contributor across all repositories. This way everyone gets a chance to participate in the projects. We sometimes give exceptions for more urgent cases and sometimes we lose track, but the policy stands. You have reached your limit, please wait until your existing issues are closed before requesting more issues. You could unassign yourself from one of the other issues too.

DecodeAndCode commented 9 months ago

i would like to work on this issue.

github-actions[bot] commented 8 months ago

This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.

plasma018 commented 7 months ago

Unassigning due to inactivity

github-actions[bot] commented 7 months ago

This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.

github-actions[bot] commented 2 weeks ago

This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.