Manage user sessions

The Now Platform provides the ability to view and terminate individual user sessions, lock out users from the system, and make users inactive..

  • Terminating a specific user session effectively logs that user out of the next transaction, which is usually the next browser click. Use the terminate sessions feature when you want to perform system maintenance.
  • Locking a user out of the system means the user can no longer log in or generate any actions from any email messages that the user sends to the instance. Locking out users also terminates their user sessions.
  • Making a user inactive means that the user does not show up in any fields that reference active users on the User table.

Modify session timeout

The base system uses the default Apache session timeout of 30 minutes.

Before you begin

Role required: admin

About this task

After 30 minutes of inactivity in the application, the platform logs the user out automatically, unless the Remember Me check box in the login screen is selected. Making the interval longer can lead to the unnecessary maintenance of inactive sessions in memory. Adjust this timeout setting to no more than a few hours, although up to 24 hours is workable.
Note: Regardless of how many windows a user has open in a browser, it is considered to be one session. However, if a user has two separate browsers open (such as Internet Explorer and Firefox), it is considered to be two separate sessions.

To set the session timeout manually:

Procedure

  1. Clear the Remember Me check box in the login screen.
  2. Add a new property using the following values:
    • Name: glide.ui.session_timeout
    • Description: Type a brief description. In this case, enter something like Override the default session timeout (30). This value is in minutes.
    • Type: Select the appropriate data type. In this case, select Integer.
    • Value: Change the default value from 30 minutes to a value of your choice.
    Note: The session timeout can also be set through installation exit customizations.

What to do next

  • Ajax calls to the server keep the session alive (such as Labels and Refreshing homepages).
  • Polling keeps the session alive when the chat desktop is open (requires the Chat plugin).
  • Administrators can add the following properties to the System Properties table.
    • glide.security.csrf.handle.ajax.timeout: Handles errors for timed out Ajax requests when set to true.
    • glide.security.auto.resubmit.ajax: Automatically resubmits timed-out Ajax requests when set to true and the Remember Me check box is selected or automatically set. A popup appears to users asking them to continue.
    • glide.ui.auto_req.extend.session: When set to true, the system automatically extends a user's session by the value the user selects for the homepage refresh time. If there is no homepage refresh time, the standard timeout value applies. Tablet and mobile devices do not support this property. When set to false, user sessions time out when the Remember me check box is clear. The timeout is based on whether there is a homepage refresh time. When there is no homepage refresh time, the standard timeout value applies. When there is a homepage refresh time, the user session times out after the timeout value plus one interval of the homepage refresh time. For example, if a user selects to refresh interval of five minutes, then user sessions expires after the timeout value plus five minutes.
      Note: Users who select the Remember me check box are unaffected by session timeout properties.
  • Administrators can also add the following properties to configure an alternate session timeout value for guest sessions to conserve system resources:
    • glide.session.unauthorized.timeout.enabled: If set to true, enables an alternate session timeout for unauthenticated, guest sessions. Guest sessions are created for HTTP requests to the instance that do not contain authentication information. By default this property is set to true.
    • glide.session.unauthorized.timeout: The session timeout value in minutes that controls the lifespan of an unauthenticated (unauthenticated) guest session. Set the property to a value greater than 0 and less than the value in the glide.ui.session_timeout property.

Lock out a user

Lock out a user when you do not want the user to access the instance.

Before you begin

Role required: user_admin or admin

Procedure

  1. Navigate to User Administration > Users and select the user from the list.
  2. Select the Locked Out check box, and update the record.

Mark a user inactive

You can mark a user inactive so the user does not show up in any fields that reference active users on the User table.

About this task

Making a user inactive does not lock out the user. The Lock Out Inactive Users business rule, which is active by default in all instances, sets the Locked Out flag to true on the User record when the Active flag is set to false. If you do not have this business rule active, inactive users are not automatically locked out and can still log in the instance.

Procedure

  1. Navigate to User Administration > Users and select the user from the list.
  2. Clear the Active check box, and update the record.

Terminate a specific user session

You can terminate a user session, for example, if you are going to perform system maintenance and users are still logged in.

  1. Navigate to User Administration > Logged in users.
    You can only see users who are logged into the same application node as you. If the Active field on a user record value is false, the user is logged in but not currently running a transaction. Most users appear as inactive at any given time.
  2. Select the session you want to end.
  3. Click Lock Out Session.
    The session is terminated, and the user is redirected to the login page at the next attempted transaction. The user is not locked out. Multiple user sessions may be associated with one user. Terminating a user session only affects the specific session.