SSO credentials validity / forced logout

What expectation should I have for how long a user can stay logged on before being prompted again?

I have implemented my own check in functions.php, integrating with the SSO plugin for WordPress. My logic seems pretty simple but I just noticed that a member who had a declined credit card (hence removing the user tag that my logic checks) was able to access my forum today. On further checking she last logged on a couple of days ago and, I guess, still seems to be. Her last logon date for WordPress is also a few days back.

Is it expected that her cached credentials should still be working. If so, is there any way to control the validity of the token and/or respond to a webhook to force a logout?

Thank you.

1 Like

This is controlled by the Discourse maximum session age site setting. It sets the number of hours that users will remail logged into your site for. It defaults to 1440 hours (60 days.) You could try setting this to a lower value. If you set it too low it will seem like a bug to your users.

This makes sense. You can log users out manually by going to their Discourse Admin page and clicking the ‘Log Out’ button that you’ll see near the top-right of the page. Another option for controlling this would be to add some code to your WordPress site that logs users out of Discourse when a membership expires.

1 Like

Much appreciated, Simon. While I think 60 days is a too long for my scenarios (these are paying members and so they have an expectation we’d check they are still valid members), I do agree that reducing it too much can be a pain.

The final suggestion (find a way to log them out of Discourse when membership ends) is what I will research. I had seen the manual logout option but looking to totally automate all of this, so that seems like the right path.

Thanks again.

1 Like