-
Improvement
-
Resolution: Fixed
-
Minor
-
4.2.1
-
MOODLE_402_STABLE
-
MOODLE_403_STABLE
-
MDL-78801-master -
This is related to MOBILE-3838 which indicated that for security reasons it would be good if the app supports closing the user session when the user leaves the app or after certain time.
To avoid annoying users, certain functionalities to provide a faster login experience should be also provided (such as biometric login)
The mobile app uses Web Service authentication tokens that already have a configurable valid time but they are limited in aspects such as :
- Is not possible to invalidate them on request
- They will prevent the user from using the app the moment they are invalidated
- The previous could generate situations such as the user being prevented from submitting a quiz or an assignment submission if tokens with short-live periods are used
- In general it would be a bad idea to use the tokens to simulate a session time out
To prevent the previous issues from happening, an existing solution was already implemented in the apps portal.
Instead of using a "session timeout" approach, it will use an auto logout approach based on the time the user has not used the app since the last time they close it. See bellow screenshot:
This issue is for only creating the necessary settings to support this via Moodle LMS, the previous settings will allow admins to enable a functionality very similar to the session timeout already available in LMS (with the main difference being that it won't be based on the time the user has been using the app but on the period of time since the last time they used it).
Please notice that this solution won't invalidate the web service token, it will just force the user to re-authenticate in the app after a certain period of time.
Apart from this new functionality that will enforce security, we will be also storing the Web Service access token in the device keystore/keychain and allowing the usage of Biometric login (the latest for Premium/BMA clients only)
- has a non-specific relationship to
-
MDL-79085 Mobile auto logout config missing visible name
- Closed