Hello all!
I have read some of the commumities’ answers like these:
Unfortunately, there are some unclear points which prevent me from implementing it the optimal way.
I have set the “inactivity timeout” to 15 minutes and the “Maximum access token lifetime” to 15 minutes, for testing purpose. When both exceeds (TO is reached), the user is not redirected to the login page. This does happen when i manually delete the appSession cookie.
I have concluded that by “managing the application session” you probably meant that in my backend code i need to delete the cookie if the exp exceeds, but the cookie is encrypted and I cannot user a simple decode, but a rather cumbersome (and non efficient) base64 conversion, followed by JSON conversion and cleaning the non-parsable payload. It feels too awkward, and it made me believe I am doing something wrong. I want to redirect the user to the logout page (which as I mentioned earlier happens like a charm when the 2 fields exceed AND manually deleting appSession cookie), but it does not happen when I do not manually delete this cookie.