Activity-renewed Sessions
Once the End User is authenticated to the Impact Finance Web App, the authenticated session must be
- kept alive as long as the End User is actively using the app, and
- (optionally) closed after a period of inactivity.
This document describes how to achieve these two tasks with "activity-renewed" sessions.
Keep-alive
On log-in the session gets an expiration time based on the
session_inactivity_timeout setting.
On every activity from the End User resulting in a request from the Web App
Frontend to the Web App Backend, this expiration time is then continuously
incremented with session_inactivity_timeout.
This means that as long as the End User is actively using the app, the session
will be kept alive.
If no activity is registered for session_inactivity_timeout seconds, the
session expires and the End User is signed out.
Signing Out on Inactivity
While the above mechanism does provide a way to expire sessions after a period of inactivity, it does not provide user interfaces for asking the user questions such as "Are you still there?". This is by design, as we assume that your Bank App already has such UX in place which the Web App should not duplicate (with possible inconsistencies).
Instead, we recommend that your Bank App listens for TelemetryEvents to manage your own inactivity detection. As long as your Bank App receives these events, the End User can be considered to be actively using the Web App. Conversely, the absence of such events is indicating inactivity.
If you want to prolong the session with an additional
session_inactivity_timeout, this is possible by sending a sessionKeepAlive
event. (Note that this must happen before the session expires completely.)
Here is an example flow of giving the End User the option to keep the session alive with an "Are you still there?" prompt after a period of inactivity: