Knowledge Base
Liz Anaya Ramos
Liz Anaya Ramos
Xano Team
 · Developer Community Manager @ Xano

Implementing User Auto-Logout

Ever wondered how to log out users automatically after a certain period of inactivity in your app? You're in the right place!

In this blog post, we dive into these three methods for implementing auto-logout functionality: 

  • Auto-logout after X hours since the last sign-in.

  • Log out users idle for X time without API endpoint interaction.

  • Logout triggered by inactivity: no clicks, scrolls, or key presses for a set duration.

We'll dive into each method, offering our recommendations for a smooth implementation.

Keep in mind that the purpose of this post is to help you get started. 'Inactivity' is not one-size-fits-all; it varies based on your application’s requirements. Ready to dive in? Let's get started!

Auto-logout After X Hours Since Last Sign-In

To auto-log out a user after X hours since their last sign-in, simply set the "expiration" parameter in the authentication token to the amount of time in seconds that you would like the token to be valid for. You can think of the auth token as a digital key to access the application. 

For example, if the expiration value is set to 86400, the token will be valid for 1 day. If the expiration value is set to 0, the token will never expire.

Once the user’s auth token expires, the user will no longer be able to access the parts of the application that require authentication until they sign in again. Once they sign in, they will be assigned a new auth token, restarting the cycle. 

To implement this functionality, you’ll want to make sure to set the "expiration" parameter in the authentication token to the amount of time in seconds that you would like the token to be valid for in both the /auth/login and /auth/signup endpoints. 


Log out users idle for X time without API endpoint interaction.


This approach involves monitoring user activity every time they access any endpoint. Additionally, it includes a background task that continuously checks for users who have exceeded a specific amount of time since their last recorded activity. This method will provide us with a value that will be sent to the frontend to tell the frontend to delete the user’s auth token.

Note: This method requires your frontend to be configured to receive the data and act accordingly. 

  1. We will start by adding a timestamp field called “last_active” and a boolean field called “is_active” in our user table.

  1. In the next step, we'll go to the 'Library' section on the left-hand side menu and then to 'Functions.' Here, we will set up a new function. Its purpose will be to update the 'last_active' field of a user's record each time this function is executed.

a. In Step 1 of our “user_activity” function, we fetch our user record using the user_id input. 

b. In Step 2, we check that the user exists and if not, the next step will not run. 

c. In the final step, we store “now” in our last_active field of the user’s record.

3. Next we will create a background task that runs every 5 minutes checking which users have not been active as per our timeout session specifications (e.g 1 hour). 

Note: In this example, the background task runs every 5 minutes. This results in a brief delay before users are logged out. For instance, if a user's last activity was at 2:08 PM, and the task runs at intervals like 3:00 PM, 3:05 PM, 3:10 PM, etc., the user will remain logged in until the task executes at 3:10 PM.

a. In Step 1, we are defining the value we will be using in our if condition and applying the 1-hour offset that signifies our session specification. 


b. In Step 2, we are filtering out all the already inactive users. 


c. In Step 3, we iterate through each record as we evaluate which users have been inactive on any API endpoints for a duration exceeding one hour. 

Be sure to align the format of each user item’s 'last_active' date to match the one established in Step 1.

Users who have not interacted with any API endpoints for more than an hour will have their 'is_active' status updated to false.


4. From there, we will add our activity_tracker function to all our APIs.

5. Since our user_activity requires the user_id, a quick way to access this without changing too much in your backend configurations is by enabling user authentication on all your endpoints. If authentication can't be used, pass in a user_id.

  

6. The user's 'is_active' field value should then be sent to the frontend whenever the user accesses an API endpoint. If 'is_active' is false, meaning there has been no interaction for over an hour, the frontend can delete the user's auth token once the appropriate logic is set up on the frontend. The user would then need to re-authenticate (sign in) to regain access. 

Logout triggered by inactivity: no clicks, scrolls, or key presses for a set duration.

This method primarily relies on monitoring user actions on the frontend. Therefore, we strongly advise implementing this functionality in the frontend of your application. 

https://www.youtube.com/watch?v=OjE0DXhWQTE

In summary, whether it's logging out users after a specific duration since their last sign-in, due to inactivity without API interaction, or following a period without user inputs like clicks or scrolls, the key is to customize the functionality to suit your application's unique requirements.

We hope that the recommendations provided here will serve as a foundation for your implementation. If you have any additional recommendations or best practices, please share them in this thread so we can all learn together!

Written by Liz Anaya Ramos and Lesa Makoele

5