[SalesForce] How to Make Session Expire with Salesforce Connected App Web Server Flow

How would one make a session expire?

Here is my configuration:

  • Using a Salesforce Connected App
  • Setup->Security Controls->Session Settings->Timout Value = 15 minutes
  • Setup->Security Controls->Session Settings->Disable session timeout warning popup = Unchecked
  • Setup->Security Controls->Session Settings->Force logout on session timeout = Checked
  • Setup->Manage Apps->Connected Apps->FirstConnectedApp->Refresh Token Policy = Refresh token is valid until revoked

Here is the test I run:

  1. Open Postman v6.0.10 Desktop App on Windows 10
  2. Use Postman v6.0.10 to Get Access Token:
    (a) Click on "Get New Access Token"
    (b) Enter values for Token Name, Grant Type (=Authorization Code), Callback URL, Auth URL, Access Token URL, Client ID, Client Secret, Client Authentication (=Send client credentials in body)
    (c) Click on "Request Token"
    (d) Login with user name and password
    (e) Click on "Use Token"
  3. Use Postman v6.0.10 to update System Custom Object:
    (a) Set HTTP/HTTPS method to "PATCH"
    (b) Enter the address https://instance.salesforce.com/services/data/v42.0/sobjects/system__c/zzzzzzzzzzzzzzzzzz.
    (c) For the body select JSON and place some valid JSON data.
    (d) Click on "Send"
    (e) When response comes back empty, it was correctly executed.
  4. Close Postman.
  5. Walk away from computer for 20 minutes.
  6. Re-open Postman v6.0.10 Desktop App on Windows 10
  7. Resend the last update to System Custom Object using "Send" button, it will be saved.

  8. Notice that the updated was successful, however the session should have expired, like so

    {
    "message":"Session expired or invalid",
    "errorCode":"INVALID_SESSION_ID"
    }

Why is the session NOT expired? It should expire every 15 minutes.

If I go home for the night and come back in the morning (15 hours), the response shows that session is expired.

Is there a way to see the activity of the sessions? Would "Cloud Data Usage Tracker" (https://appexchange.salesforce.com/listingDetail?listingId=a0N3000000B495zEAB) be able to tell me why the session is not timing out after 15 minutes?

Best Answer

Session Timeout Org defaults is overrrided by Profile's Session Timeout Value. Make sure that's also 15 mins.

You can control session settings on a user profile basis. If you don’t configure the profile session settings, the org’s session settings apply to users of the profile. When set, the profile settings override the org-wide settings.

Additionally, you can revoke access token by calling revoke endpoint.

https://developer.salesforce.com/blogs/developer-relations/2011/11/revoking-oauth-2-0-access-tokens-and-refresh-tokens.html

This is the consistent behaviour across the platform and hence Salesforce has added this Note.

When users close a browser window or tab, they aren’t automatically logged out from their Salesforce session. Ensure that your users are aware of this behavior and that they end all sessions properly by selecting Your Name

Additionally, that timeout value cycle depends on halflife, thus there is another word of caution.

The last active session time value isn’t updated until halfway through the timeout period. So if you have a 30-minute timeout, the system doesn’t check for activity until 15 minutes have passed. For example, if you update a record after 10 minutes, the last active session time value isn’t updated because there was no activity after 15 minutes. You’re logged out in 20 more minutes (30 minutes total), because the last active session time wasn’t updated. Suppose that you update a record after 20 minutes. That’s 5 minutes after the last active session time is checked. Your timeout resets, and you have another 30 minutes before being logged out, for a total of 50 minutes.

SRC: https://help.salesforce.com/articleView?id=users_profiles_session.htm&type=5

Related Topic