How would one make a session expire?
Here is my configuration:
- Using a Salesforce Connected App
- Setup->Security Controls->Session Settings->Timout Value = 15 minutes
- Setup->Security Controls->Session Settings->Disable session timeout warning popup = Unchecked
- Setup->Security Controls->Session Settings->Force logout on session timeout = Checked
- Setup->Manage Apps->Connected Apps->FirstConnectedApp->Refresh Token Policy = Refresh token is valid until revoked
Here is the test I run:
- Open Postman v6.0.10 Desktop App on Windows 10
- Use Postman v6.0.10 to Get Access Token:
(a) Click on "Get New Access Token"
(b) Enter values for Token Name, Grant Type (=Authorization Code), Callback URL, Auth URL, Access Token URL, Client ID, Client Secret, Client Authentication (=Send client credentials in body)
(c) Click on "Request Token"
(d) Login with user name and password
(e) Click on "Use Token" - Use Postman v6.0.10 to update System Custom Object:
(a) Set HTTP/HTTPS method to "PATCH"
(b) Enter the address https://instance.salesforce.com/services/data/v42.0/sobjects/system__c/zzzzzzzzzzzzzzzzzz.
(c) For the body select JSON and place some valid JSON data.
(d) Click on "Send"
(e) When response comes back empty, it was correctly executed. - Close Postman.
- Walk away from computer for 20 minutes.
- Re-open Postman v6.0.10 Desktop App on Windows 10
- Resend the last update to System Custom Object using "Send" button, it will be saved.
-
Notice that the updated was successful, however the session should have expired, like so
{
"message":"Session expired or invalid",
"errorCode":"INVALID_SESSION_ID"
}
Why is the session NOT expired? It should expire every 15 minutes.
If I go home for the night and come back in the morning (15 hours), the response shows that session is expired.
Is there a way to see the activity of the sessions? Would "Cloud Data Usage Tracker" (https://appexchange.salesforce.com/listingDetail?listingId=a0N3000000B495zEAB) be able to tell me why the session is not timing out after 15 minutes?
Best Answer
Session Timeout Org defaults is overrrided by Profile's Session Timeout Value. Make sure that's also 15 mins.
Additionally, you can revoke access token by calling revoke endpoint.
https://developer.salesforce.com/blogs/developer-relations/2011/11/revoking-oauth-2-0-access-tokens-and-refresh-tokens.html
This is the consistent behaviour across the platform and hence Salesforce has added this Note.
Additionally, that timeout value cycle depends on halflife, thus there is another word of caution.
SRC: https://help.salesforce.com/articleView?id=users_profiles_session.htm&type=5