Forcing a Session Timeout for the ‘Remember me’ Checkbox

Home/System Definition/Forcing a Session Timeout for the ‘Remember me’ Checkbox

Forcing a Session Timeout for the ‘Remember me’ Checkbox

One important piece of managing user logins in any system is determining the maximum session timeout for users. ServiceNow allows administrators to set a global session timeout or allow users the option of having their session remembered and never logging the user out unless they log out themselves.

In some cases, you may need additional flexibility around these session timings. You might want to time users out of the system after a certain period of time even if they have the ‘Remember me’ checkbox checked. You might also want to evaluate the timeout based on specific user criteria. The base configuration doesn’t allow you to have this kind of flexibility, but you can introduce additional capabilities via a scheduled job script. This solution shows how you can force a session timeout even for users with the ‘Remember me’ checkbox selected.

RememberMe

This configuration can be accomplished in a few simple steps as shown below…

  1. Create a new system property to store the maximum number of hours of inactivity for ‘Remember me’ logins.

    Storing the maximum number of hours in a system property will allow for the modification of the timeout without having to go in and modify the scheduled job script directly.

  2. ‘glide.ui.remember_me_timeout’ System Property
    Name: ‘glide.ui.remember_me_timeout’
    Description: Log out ‘Remember me’ users after a certain amount of inactivity (in hours).
    Type: Integer
    Value: 24 (or whatever you like)

  3. Create a new scheduled job to automatically run a script.

    The script queries the ‘Logged in Users’ [v_user_session] table for users who haven’t had an active transaction in the last ‘x’ number of hours based on the ‘glide.ui.remember_me_timeout’ property you set up above. If the condition is met, the user session is locked, logging them out of the system. This is based on the mechanism that ServiceNow has to allow admins to log users out of the system manually. Once logged out, the user will be redirected to a login screen upon their next attempted navigation within the system. This script can be further adjusted to calculate the timeout based on minutes or even look at individual user criteria as well.

  4. ‘Force Maximum Inactivity Timeout (Remember me)’ Scheduled Job
    Name: Force Maximum Inactivity Timeout (Remember me)
    Active: True
    Run: Periodically
    Repeat interval: 15 minutes
    Run this script:

    //Log out 'Remember me' users after a certain amount of inactivity
    //Pulls number of hours from 'glide.ui.remember_me_timeout' property
    var maxInactiveHours = gs.getProperty('glide.ui.remember_me_timeout');
    var sess = new GlideRecord('v_user_session');
    sess.addEncodedQuery('user!=guest^last_transaction_timeRELATIVELE@hour@ago@' + maxInactiveHours);
    sess.query();
    while(sess.next()){
        //Optionally test for user-specific criteria here. 'sess.user' contains the user_name so you can query on it.
        sess.locked = true;
        sess.update();
    }

If you’ve done all of the above steps correctly, you should end up with a simple-to-maintain mechanism for controlling the duration of those ‘Remember me’ sessions automatically.

By | 2017-02-10T05:55:50+00:00 August 5th, 2015|Categories: System Definition|Tags: , |6 Comments

About the Author:

6 Comments

  1. Namrata Jain September 13, 2015 at 11:43 pm - Reply

    Hi Mark,

    If the homepage has refresh option on , like after 10 mins refresh the page , would the above functionality still work?

    Thank you

    Best Regards,
    Namrata Jain

    • Mark Stanger September 14, 2015 at 7:22 am - Reply

      No because any AJAX request/page refresh would perform queries and keep the session alive. If the user weren’t viewing that page though then it would work.

  2. harsha February 21, 2017 at 9:46 am - Reply

    where can i find this option in the servicenow demo instance

    • Mark Stanger February 21, 2017 at 10:09 am - Reply

      I’m not sure exactly which option you’re referring to. If you’re in a ServiceNow demo instance though, you might not have the same ability to manipulate the configuration because they lock it down considerably there.

  3. Ahmed April 15, 2017 at 5:50 pm - Reply

    Hi Mark, very useful share! Thanks.
    Although I think this set up will work only on single node instances because the v_user_session table only shows active users on the current node.

    Simple change will be to create the schedule job (sys_trigger) and set the System ID field to All Nodes so that the job runs on every node.

Leave A Comment