Hmm. As people use the forums and read topics, etc., if they do something that generates an action (create_post, create_topic, edit_post, etc) then I get a message via the webhook. This tells the main site that they’re still active, so I can update the ‘Last Click’ value on their session, preventing a logout. As it should. All good.
However, if a member is just reading messages for a while… their Discourse idle time is being reset every time they do something (which is good), but my main site never receives any webhook messages indicating the user is active, so after 1 hour without any activity (it looks like they went to forums and walked away from the computer) the main site assumes they’re toast and logs them out.
It seems like there’s a hole in the logic here. For a proper SSO implementation, shouldn’t there be a way for Discourse to tell me if a user’s session is active (even if they are just reading)? Perhaps Discourse should be sending a ping every 5 minutes if the member is active but hasn’t generated any other webhook messages.
Or maybe when my site thinks a user has timed out, I should call Discourse and ask if the user is active over there. Is there a way to do that? (I see Is there an endpoint to check if a user is logged in but I can’t quite tell if that’s what I want, and /session/current.json isn’t in the API docs.) That will generate a ton of API calls, though-- I log off ~15-20 users every minute on my site for inactivity, so that would be calling for each one (and possibly more than one call, if I don’t have a local cache of their Discourse ID).
Friends, what do y’all think/advise?