<-- Back

User can access application after session deletion due to session caching

Issue

When an administrator deletes the session of a logged-in user through the Active Sessions screen, the user can still access the application for approximately one additional minute, even though the session is immediately deleted on the server side. This behavior raises concerns about immediate access restriction after session termination.

Environment

Applications hosted in any deployment type

Cause

This behavior is expected and is caused by session caching in Mendix nodes. For performance reasons, sessions are cached in nodes for up to 30 seconds by default. As a result, it can take up to 30 seconds before a user is fully prevented from taking actions in the application after their session is terminated.

Solution/Workaround

While this is the default behavior, the session caching duration can be adjusted:

  1. The session caching duration can be configured using the SessionValidationTimeout runtime setting

  2. By default, this setting is set to 30 seconds.

  3. Decrease this value to reduce the time a user can still access the application after logout, but be aware that this may impact performance

Internal information related

253829

Additional information

Mendix documentation: Clustered Mendix Runtime

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.