Automatic logout when session is expired in LiveView

odd · April 8, 2025, 7:49am

Hey folks,

I’m building a session timeout feature to a LiveView app and I’m looking for some feedback. Basically it’s a modal that pops out telling the user they will be logged out after 5 minutes (with a button to stay logged in). I’m rendering a SessionTimeoutModal LiveView in app.html.heex which ticks every few seconds and checks a session_token_expires_at timestamp against current time. The issue I’m having is when it’s actually time to log the user out automatically. I’ve thought about and tried out the following:

Deleting the token from database in LiveView (but then the browser session doesn’t get cleared? Also can’t add a “You’ve been logged out automatically” flash notification)
Pushing a JS event which fetches the logout route (seems gimmicky and requires CORS stuff)
Redirecting to /logout from LiveView (can’t redirect to a DELETE route)
Redirecting to a new GET /logout or GET /auto_logout (GET shouldn’t modify stuff, but should I care?)

Option 4 seems to work, I just thought I’d ask how people tend to solve this since this is a fairly common feature.

Thanks!

LostKobrakai · April 8, 2025, 7:58am

Delete the token in the db (that’s why it’s in the db in the first place) and use Security considerations — Phoenix LiveView v1.0.9 to make sure any persistent connections are dropped. On reconnect the token of those connections would be invalid.

odd · April 8, 2025, 8:16am

Yeah either way, I am deleting the token. I just thought it would be nice to use the same logout method as when manually logging out. I guess I’ll try to go with deleting the token in LiveView, broadcasting the “disconnect” event and redirecting with a flash message. Thanks for your input

rhcarvalho · April 8, 2025, 12:18pm

Surprisingly it is possible to hit that route using a GET+params (/logout?method=DELETE) because the standard router has a plug that converts such params into the proper request method, thus hitting the desired logout controller.

(I’ve had to do it before)

On mobile now, let me know if you need more details.

garrison · April 8, 2025, 5:46pm

Does this not cause CSRF problems?

rhcarvalho · April 8, 2025, 7:02pm

Yes, it does. I had forgotten about it

In this particular case, I suppose the CSRF token can be pulled out from the meta tag or session and passed as a param too, _csrf_token according to Plug.CSRFProtection docs.

spacebat · April 8, 2025, 11:44pm

If there’s a manual logout action in the UI, you could add some javascript to support an event pushed from the server that invokes the same action, perhaps with a parameter indicating that this was an auto-logout. That way you’re in control for longer than if you just redirect, and the logout action is re-used.

LostKobrakai · April 9, 2025, 5:34am

You cannot depend on the client cooperating for something like a forced logout. There might be optional stuff done to make the logout a better experience, but eventually the logout needs to be driven by server side controlled mechanisms.

spacebat · April 12, 2025, 7:14am

Well a user script or browser extension could prod the server to prevent forced logout due to inactivity, so for this sort of thing a degree of client cooperation is involved anyway. However I take your point, there should always be a way to force log out a user from the server in an orderly way.

hasmanyguitars · June 10, 2025, 5:44pm

This is the approach I came up with. It’s a GenServer that starts a timer for each user when they log in and then resets that timer with JavaScript on mousemove, etc. I’m not a fan of having to use a GenServer for this, and I don’t like solely relying on JavaScript for the reason @spacebat mentioned. Has anyone come up with a cleaner solution?

defmodule MyApp.ActivityTimer do
  use GenServer

  @moduledoc """
  A GenServer that logs the user out after a specified inactivity timeout.
  """

  def start_link(_opts) do
    minutes =
      Application.get_env(:MyApp, MyAppWeb.Session)[:inactivity_timeout_in_minutes] || 5

    timeout = trunc(minutes * 60_000)

    enabled = Application.get_env(:MyApp, MyAppWeb.Session)[:activity_timer_enabled] == true

    GenServer.start_link(__MODULE__, %{timeout: timeout, timers: %{}, enabled: enabled},
      name: __MODULE__
    )
  end

  def init(state) do
    {:ok, state}
  end

  def start_timer(user_token_id) do
    GenServer.call(__MODULE__, {:start_timer, user_token_id})
  end

  def cancel_timer(user_token_id) do
    GenServer.call(__MODULE__, {:cancel_timer, user_token_id})
  end

  @doc """
  Changes the timeout value in the GenServer state.
  The timeout value is in milliseconds.
  """
  def set_timeout(timeout_ms) when is_integer(timeout_ms) and timeout_ms > 0 do
    GenServer.call(__MODULE__, {:set_timeout, timeout_ms})
  end

  @doc """
  Enable or disable the activity timer regardless of the config setting.
  This is useful for testing.
  """
  def set_enabled(enabled) when is_boolean(enabled) do
    GenServer.call(__MODULE__, {:set_enabled, enabled})
  end

  def handle_call({:set_timeout, timeout_ms}, _from, state) do
    {:reply, :ok, %{state | timeout: timeout_ms}}
  end

  def handle_call({:set_enabled, enabled}, _from, state) do
    {:reply, :ok, %{state | enabled: enabled}}
  end

  def handle_call(
        {:start_timer, user_token_id},
        _from,
        %{timeout: timeout, timers: timers, enabled: true} = state
      ) do
    if Map.has_key?(timers, user_token_id) do
      Process.cancel_timer(timers[user_token_id])
    end

    timer_ref = Process.send_after(self(), {:timeout, user_token_id}, timeout)
    {:reply, :ok, %{state | timers: Map.put(timers, user_token_id, timer_ref)}}
  end

  def handle_call(
        {:cancel_timer, user_token_id},
        _from,
        %{timers: timers, enabled: true} = state
      ) do
    if Map.has_key?(timers, user_token_id) do
      Process.cancel_timer(timers[user_token_id])
      {:reply, :ok, %{state | timers: Map.delete(timers, user_token_id)}}
    else
      {:reply, :ok, state}
    end
  end

  def handle_call(_request, _from, %{enabled: false} = state) do
    require Logger
    Logger.debug("Activity timer is disabled, ignoring request.")

    {:reply, :ok, state}
  end

  def handle_info({:timeout, user_token_id}, %{timers: timers} = state) do
    Task.start(fn -> expire_user_token_id(user_token_id) end)

    {:noreply, %{state | timers: Map.delete(timers, user_token_id)}}
  end

  defp expire_user_token_id(user_token_id) do
    MyApp.Users.delete_user_session_token(user_token_id)

    MyAppWeb.Endpoint.broadcast(
      "users_sessions:#{Base.url_encode64(user_token_id)}",
      "disconnect",
      %{}
    )
  end
end