THURSDAY, JANUARY 19, 2017

Forcing a Session Timeout for the ‘Remember me’ Checkbox

One important piece of managing user logins in any system is determining the maximum session timeout for users. ServiceNow allows administrators to set a global session timeout or allow users the option of having their session remembered and never logging the user out unless they log out themselves.

In some cases, you may need additional flexibility around these session timings. You might want to time users out of the system after a certain period of time even if they have the ‘Remember me’ checkbox checked. You might also want to evaluate the timeout based on specific user criteria. The base configuration doesn’t allow you to have this kind of flexibility, but you can introduce additional capabilities via a scheduled job script. This solution shows how you can force a session timeout even for users with the ‘Remember me’ checkbox selected.

RememberMe

This configuration can be accomplished in a few simple steps as shown below…

  1. Create a new system property to store the maximum number of hours of inactivity for ‘Remember me’ logins.

    Storing the maximum number of hours in a system property will allow for the modification of the timeout without having to go in and modify the scheduled job script directly.

  2. ‘glide.ui.remember_me_timeout’ System Property
    Name: ‘glide.ui.remember_me_timeout’
    Description: Log out ‘Remember me’ users after a certain amount of inactivity (in hours).
    Type: Integer
    Value: 24 (or whatever you like)

  3. Create a new scheduled job to automatically run a script.

    The script queries the ‘Logged in Users’ [v_user_session] table for users who haven’t had an active transaction in the last ‘x’ number of hours based on the ‘glide.ui.remember_me_timeout’ property you set up above. If the condition is met, the user session is locked, logging them out of the system. This is based on the mechanism that ServiceNow has to allow admins to log users out of the system manually. Once logged out, the user will be redirected to a login screen upon their next attempted navigation within the system. This script can be further adjusted to calculate the timeout based on minutes or even look at individual user criteria as well.

  4. ‘Force Maximum Inactivity Timeout (Remember me)’ Scheduled Job
    Name: Force Maximum Inactivity Timeout (Remember me)
    Active: True
    Run: Periodically
    Repeat interval: 15 minutes
    Run this script:

    //Log out 'Remember me' users after a certain amount of inactivity
    //Pulls number of hours from 'glide.ui.remember_me_timeout' property
    var maxInactiveHours = gs.getProperty('glide.ui.remember_me_timeout');
    var sess = new GlideRecord('v_user_session');
    sess.addEncodedQuery('user!=guest^last_transaction_timeRELATIVELE@hour@ago@' + maxInactiveHours);
    sess.query();
    while(sess.next()){
        //Optionally test for user-specific criteria here. 'sess.user' contains the user_name so you can query on it.
        sess.locked = true;
        sess.update();
    }

If you’ve done all of the above steps correctly, you should end up with a simple-to-maintain mechanism for controlling the duration of those ‘Remember me’ sessions automatically.

2 Comments

Namrata Jain 13-09-2015, 23:43

Hi Mark,

If the homepage has refresh option on , like after 10 mins refresh the page , would the above functionality still work?

Thank you

Best Regards,
Namrata Jain

Reply
Mark Stanger 14-09-2015, 07:22

No because any AJAX request/page refresh would perform queries and keep the session alive. If the user weren’t viewing that page though then it would work.

Reply

Leave a Reply


Latest Comments

  • David: It appears that I can hit sys_properties table with REST. This works, but I haven’t yet discovered the...
  • Mark Stanger: Hey David, It doesn’t surprise me that scoped apps have made this more difficult. I’m not...
  • David: Mark, do you have an example of how to do this in a scoped app? It seems there are many hoops to jump through...
  • Mark Stanger: The only possibility is to create a system property to override this in your application. Check out the...