What expectation should I have for how long a user can stay logged on before being prompted again?
I have implemented my own check in functions.php, integrating with the SSO plugin for WordPress. My logic seems pretty simple but I just noticed that a member who had a declined credit card (hence removing the user tag that my logic checks) was able to access my forum today. On further checking she last logged on a couple of days ago and, I guess, still seems to be. Her last logon date for WordPress is also a few days back.
Is it expected that her cached credentials should still be working. If so, is there any way to control the validity of the token and/or respond to a webhook to force a logout?