SSO credentials validity / forced logout

What expectation should I have for how long a user can stay logged on before being prompted again?

I have implemented my own check in functions.php, integrating with the SSO plugin for WordPress. My logic seems pretty simple but I just noticed that a member who had a declined credit card (hence removing the user tag that my logic checks) was able to access my forum today. On further checking she last logged on a couple of days ago and, I guess, still seems to be. Her last logon date for WordPress is also a few days back.

Is it expected that her cached credentials should still be working. If so, is there any way to control the validity of the token and/or respond to a webhook to force a logout?

Thank you.

1 Like

This is controlled by the Discourse maximum session age site setting. It sets the number of hours that users will remail logged into your site for. It defaults to 1440 hours (60 days.) You could try setting this to a lower value. If you set it too low it will seem like a bug to your users.

This makes sense. You can log users out manually by going to their Discourse Admin page and clicking the ‘Log Out’ button that you’ll see near the top-right of the page. Another option for controlling this would be to add some code to your WordPress site that logs users out of Discourse when a membership expires.

2 Likes

Much appreciated, Simon. While I think 60 days is a too long for my scenarios (these are paying members and so they have an expectation we’d check they are still valid members), I do agree that reducing it too much can be a pain.

The final suggestion (find a way to log them out of Discourse when membership ends) is what I will research. I had seen the manual logout option but looking to totally automate all of this, so that seems like the right path.

Thanks again.

1 Like

Hmm… the description of the site setting says (emphasis mine):

User will remain logged in for n hours since last visit

If I understand correctly, could remain logged in forever if they continue to visit the site periodically even after they lose their SSO credentials. For example, if the setting were set to 72 hours, as long as they continued to visit the site every day or two, they’d remain logged in. Am I interpreting that correctly?

2 Likes

Yes, that is true in my experience. There is no absolute timeout that forcefully logs someone out after a fixed period of time.

1 Like

So is the implication of this that if someone cancels my membership and I want to be sure they can’t access my forum I will need to forcefully log them off (manually or via an API call)?

1 Like

Yes that is the recommendation

1 Like

Thank you. Having just switched from a Facebook group (which required manually removing members when they cancelled their subscriptions) it’s unfortunate that, with Discourse, I will still have a manual process to ensure cancelled members can’t access my forum. That leads to a question.

Is there any non-manual mechanism - however creative - where I can ensure a user who no longer has a valid account i.e s/he cannot log on, will be forcefully logged out of Discourse?

It does seem logically weird to have the SSO mechanism block users from logging on (recognizing the fact they don’t have a valid account), but if they simply access the forum on a regular basis (less than the timeout) they can access the forum for as long as they like, until I log them off manually.

I guess my final option, potentially, is to write a plugin that will call a Discourse API to log them out when they cancel.

Open to any and all ideas here. As you can tell, I REALLY want to avoid having to do this manually :slight_smile:

Thank you.

You can make an API request to /admin/users/<discourse_user_id>/log_out. The WP Discourse plugin uses this route to sync logging out of WordPress with Discourse. You could probably copy most of the code from this function: wp-discourse/discourse-sso.php at master · discourse/wp-discourse · GitHub.

1 Like

Much appreciated, Simon. I will take a look.

Stepping back though, does this not seem like something of a problem? I guess we can debate the importance of this, but having a platform where users can just continue to access a forum endlessly, even when they no longer have a valid account, is not something I have seen elsewhere.

I can perhaps buy the notion that it’s WordPress, rather than Discourse, which is the authoritative source here. So that probably points the finger at the SSO plugin as the best place to locate some logic.

Curious to know the overall thinking here. I’d like to think the scenario is a valid one (force logout after a certain period of time or based on a WordPress account becoming “invalid”), no?

Just brainstorming here since I would like to avoid manual steps - but also want to avoid writing code, if I can :slight_smile:

Yes, this will need to be handled by WordPress. I think it would make sense for the WP Discourse plugin to log users out of Discourse when they are deleted on WordPress, but I’m not sure that this would solve your problem. My assumption is that when a user’s membership expires on your site, the user isn’t deleted from your WordPress site. To handle the case of logging a user out of Discourse when their membership expires, you will probably need to add some code to your site that hooks into whatever action is fired by your membership plugin when a membership expires.

1 Like

Thank you again, @Simon_Cossar. Your points make sense, but forgive me if I carry on for one more pass :slight_smile:

It seems to be that there are two factors at play here - the validity of an account (namely, are they an active member) and the validity of a token in Discourse.

For the first of these I absolutely agree that WordPress should own this and, as time allows, I will investigate.

However, there’s also the question of an active/valid token on the Discourse side. I understand that this might not be a high priority, but I can see some logic in an option (probably defaulting to off) which has a “force logon” timeframe, namely after x days the users logon token expires, regardless of whether s/he logged on recently.

Again, I am very much brainstorming here, but can see some value in forcing a logout as an option, independent of whether the user has a valid account.