Hello, I have a few questions regarding login.
- I found out that logout determination is based on the session time. I tested what happens when I give an action during the idle session time and when I don’t. Even if there’s an action, if the idle session time elapses (rather than the max session time), it logs out. I understand that the idle session lifetime applies when there’s continuous inactivity. I’m curious about the exact criteria for this “inactivity.” It seems that simple UI clicks or page navigation are considered inactive, while refreshing the page obtains a new token and restarts the lifetime from that point. If that’s the case, what exactly is the role of the maximum session lifetime?
- I understand that the ID token contains user information. When I set the ID token to expire after as short as 60 seconds, there was no change in the project’s behavior. When the ID token expires, where and how does it actually have an impact? What happens, and what is the practical role of the ID token?
- While I was working on the project with ID token, access token, and session lifetime all set to their defaults, I experienced being redirected to the logout page after performing some user action following a certain period of time in a logged-in state. Based on this experience, I planned to implement the following: If there is no user action for 10 minutes, the user automatically gets logged out. But if there is an action, the token is renewed every 10 minutes so that the login state is maintained. However, as mentioned in point 1, simply applying an idle session time of 10 minutes causes a logout after 10 minutes regardless of UI clicks or page navigation. So this approach is incorrect. How should I implement this properly? Which session or which token should I adjust?