Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78801

Add Auto logout settings for the mobile app

XMLWordPrintable

    • MOODLE_402_STABLE
    • MOODLE_403_STABLE
    • MDL-78801-master
    • Hide
      1. Enable "Mobile services": via Site administration ► Advanced features
      2. Create a Token for the mobile app service for any user on the site (but not an admin)
        Click on Site administration ► Plugins ► Web services ► Manage tokens
      3. Next, you can do a CURL REST call simulating a WS client with the user token.
      4. You need to replace the $wstoken and the MOODLE_URL of your moodle instance

        curl 'MOODLE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=tool_mobile_get_config&wstoken=$wstoken' | python -m json.tool

      1. Confirm that:
      2. The tool_mobile_autologout field value is set to false
      3. As admin now go to Site administration > Mobile app authentication > and change the value of the "Enforce auto logout for your users" field to "Inmediately after users leave or close the app"
      4. Execute the same CURL request as bevoe
      5. Confirm that:
      6. The tool_mobile_autologout field value is set to 1
      7. As admin now go to Site administration > Mobile app authentication > and change the value of the "Enforce auto logout for your users" field to "Custom time after users leave or close the app" and set a custom time of 1 hour
      8. Execute the same CURL request as bevoe
      9. Confirm that:
      10. The tool_mobile_autologout field value is set to 2
      11. The tool_mobile_autologouttime field value is set to 3600
      12. As admin now go to Site administration > Mobile app authentication > and change the value of the "Enforce auto logout for your users" field to "Never"
      13. Execute the same CURL request as bevoe
      14. Confirm that:
      15. The tool_mobile_autologout field value is set to 0
      Show
      Enable "Mobile services": via Site administration ► Advanced features Create a Token for the mobile app service for any user on the site (but not an admin) Click on Site administration ► Plugins ► Web services ► Manage tokens Next, you can do a CURL REST call simulating a WS client with the user token. You need to replace the $wstoken and the MOODLE_URL of your moodle instance curl 'MOODLE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=tool_mobile_get_config&wstoken=$wstoken' | python -m json.tool Confirm that: The tool_mobile_autologout field value is set to false As admin now go to Site administration > Mobile app authentication > and change the value of the "Enforce auto logout for your users" field to "Inmediately after users leave or close the app" Execute the same CURL request as bevoe Confirm that: The tool_mobile_autologout field value is set to 1 As admin now go to Site administration > Mobile app authentication > and change the value of the "Enforce auto logout for your users" field to "Custom time after users leave or close the app" and set a custom time of 1 hour Execute the same CURL request as bevoe Confirm that: The tool_mobile_autologout field value is set to 2 The tool_mobile_autologouttime field value is set to 3600 As admin now go to Site administration > Mobile app authentication > and change the value of the "Enforce auto logout for your users" field to "Never" Execute the same CURL request as bevoe Confirm that: The tool_mobile_autologout field value is set to 0

      This is related to MOBILE-3838 which indicated that for security reasons it would be good if the app supports closing the user session when the user leaves the app or after certain time.
      To avoid annoying users, certain functionalities to provide a faster login experience should be also provided (such as biometric login)

      The mobile app uses Web Service authentication tokens that already have a configurable valid time but they are limited in aspects such as :

      • Is not possible to invalidate them on request
      • They will prevent the user from using the app the moment they are invalidated
      • The previous could generate situations such as the user being prevented from submitting a quiz or an assignment submission if tokens with short-live periods are used
      • In general it would be a bad idea to use the tokens to simulate a session time out

      To prevent the previous issues from happening, an existing solution was already implemented in the apps portal.
      Instead of using a "session timeout" approach, it will use an auto logout approach based on the time the user has not used the app since the last time they close it. See bellow screenshot:

      This issue is for only creating the necessary settings to support this via Moodle LMS, the previous settings will allow admins to enable a functionality very similar to the session timeout already available in LMS (with the main difference being that it won't be based on the time the user has been using the app but on the period of time since the last time they used it).
      Please notice that this solution won't invalidate the web service token, it will just force the user to re-authenticate in the app after a certain period of time.

      Apart from this new functionality that will enforce security, we will be also storing the Web Service access token in the device keystore/keychain and allowing the usage of Biometric login (the latest for Premium/BMA clients only)

        1. screenshot-3.png
          screenshot-3.png
          42 kB
        2. screenshot-2.png
          screenshot-2.png
          96 kB
        3. screenshot-1.png
          screenshot-1.png
          49 kB
        4. MDL-78801.png
          MDL-78801.png
          863 kB

            jleyva Juan Leyva
            jleyva Juan Leyva
            Rodrigo Mady Rodrigo Mady
            Ilya Tregubov Ilya Tregubov
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 39 minutes
                2h 39m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.