This site uses cookies. By continuing to browse the site, you agree to our use of cookies. Find out more about cookies.
Skip to main content
Metadecidim's official logo
  • English Triar la llengua Elegir el idioma Choose language
    • Català
    • Castellano
Sign Up Sign In
  • Home
  • Processes
  • Assemblies
  • Initiatives
  • Consultations
  • Conferences
  • Help

Propose new functionalities for Decidim software

#DecidimRoadmap Designing Decidim together

Phase 1 of 1
Open 2019-01-01 - 2030-12-31
Process phases Submit a proposal
  • The process
  • Debates
  • Propose new features
  • News
chevron-left Back to list

[Security] Automatically sign out user after certain period of time

Avatar: Antti Hukkanen Antti Hukkanen
04/02/2021 14:11  
Finished

**Is your feature request related to a problem? Please describe.**

Currently we have the possibility to configure "timeout_in" time which closes the session at Decidim's side after a certain period of inactivity. This is fine, as long as we don't have any external sign in options which also need their own sign out flows during the sign out from Decidim.

Another issue is that the user is not informed that their session is about to expire and it may come as a surprise that they were signed out.

**Describe the solution you'd like**

We'd like to have these changes to the session termination:

  • E.g. 1-2 minutes before the session is about to expire, the user should be shown a session expiration modal which states that their session is about to expire.
  • If the user wants, they could extend their session by clicking a button from that window.
  • When the session is automatically terminated, send the user to the normal sign out flow so that the user is also signed out from any external services that could be possibly configured for the sign out flow through Omniauth.
  • After the user is signed out automatically, show a special message that explains the user what happened, so they are not left wondering what just happened.

**Describe alternatives you've considered**

As mentioned, the alternative to this is already part of Devise but it does not take into consideration the external services' sign out flows. Also, the user experience is not greatest as the user will not get clear information about what happened and why.

**Additional context**

Similar concepts to what is proposed can be seen e.g. in online banking. This is an important feature when we provide strong authentication to the users as other people could possibly use their credentials if they did not sign out from the service.

**Does this issue could impact on users private data?**

Yes, this has a positive impact on users private data. Implementing these features keeps the user more secure.

**Funded by**

Mainio Tech

  • Filter results for category: Participant profile and configuration Participant profile and configuration

The development of this proposal has finished

  • Reviewed by @product and accepted in the main project
  • Funded by Mainio Tech
  • Developed by Mainio Tech
  • Available in release 0.24 via in #7282

List of Endorsements

Avatar: Decidim Product Decidim Product verified-badge
Endorsements count1
[Security] Automatically sign out user after certain period of time Comments 0

Reference: MDC-PROP-2021-02-16220
Version number 3 (of 3) see other versions
Check fingerprint

Fingerprint

The piece of text below is a shortened, hashed representation of this content. It's useful to ensure the content hasn't been tampered with, as a single modification would result in a totally different value.

Value: bd2a8ca6c11f8afb9764859665548779ba87a6a9a44e338432089a08485370d0

Source: {"body":{"en":"<p><strong>**Is your feature request related to a problem? Please describe.**</strong></p><p>Currently we have the possibility to configure \"timeout_in\" time which closes the session at Decidim's side after a certain period of inactivity. This is fine, as long as we don't have any external sign in options which also need their own sign out flows during the sign out from Decidim.</p><p>Another issue is that the user is not informed that their session is about to expire and it may come as a surprise that they were signed out.</p><p><strong>**Describe the solution you'd like**</strong></p><p>We'd like to have these changes to the session termination:</p><ul><li>E.g. 1-2 minutes before the session is about to expire, the user should be shown a session expiration modal which states that their session is about to expire.</li><li>If the user wants, they could extend their session by clicking a button from that window.</li><li>When the session is automatically terminated, send the user to the normal sign out flow so that the user is also signed out from any external services that could be possibly configured for the sign out flow through Omniauth.</li><li>After the user is signed out automatically, show a special message that explains the user what happened, so they are not left wondering what just happened.</li></ul><p><strong>**Describe alternatives you've considered**</strong></p><p>As mentioned, the alternative to this is already part of Devise but it does not take into consideration the external services' sign out flows. Also, the user experience is not greatest as the user will not get clear information about what happened and why.</p><p><strong>**Additional context**</strong></p><p>Similar concepts to what is proposed can be seen e.g. in online banking. This is an important feature when we provide strong authentication to the users as other people could possibly use their credentials if they did not sign out from the service.</p><p><strong>**Does this issue could impact on users private data?**</strong></p><p>Yes, this has a positive impact on users private data. Implementing these features keeps the user more secure.</p><p><strong>**Funded by**</strong></p><p>Mainio Tech</p>"},"title":{"en":"[Security] Automatically sign out user after certain period of time"}}

This fingerprint is calculated using a SHA256 hashing algorithm. In order to replicate it yourself, you can use an MD5 calculator online and copy-paste the source data.

Share:

link-intact Share link

Share link:

Please paste this code in your page:

<script src="https://meta.decidim.org/processes/roadmap/f/122/proposals/16220/embed.js"></script>
<noscript><iframe src="https://meta.decidim.org/processes/roadmap/f/122/proposals/16220/embed.html" frameborder="0" scrolling="vertical"></iframe></noscript>

Report inappropriate content

Is this content inappropriate?

Reason

0 comments

Order by:
  • Older
    • Best rated
    • Recent
    • Older
    • Most discussed

Add your comment

Sign in with your account or sign up to add your comment.

Loading comments ...

  • Terms and conditions of use
  • About the community
  • Download Open Data files
  • Metadecidim at Twitter Twitter
  • Metadecidim at Instagram Instagram
  • Metadecidim at YouTube YouTube
  • Metadecidim at GitHub GitHub
Creative Commons License Website made with free software.
Decidim Logo

Confirm

OK Cancel

Please sign in

decidim Sign in with Decidim
Or

Sign up

Forgot your password?