[SPIKE] As a user, I need to be timed out from my session (Research session timeout)

[hilvitzs]

Description:
Research needs to be done to determine how to initiate a session timeout from the front end.

Acceptance Criteria:

• Session timeout story As an authenticated user that has been inactive for 30 minutes, I want to be notified to extend or end my session #197 is tasked out

Tasks:

• Find best practices for initiating session timeouts from a React app
• Pair with 18F for suggestions on other projects where the timeout has been implemented
• New issue will be created to discuss with security if 15 mins is sufficient for timeouts As an authenticated user that has been inactive for 30 minutes, I want to be notified to extend or end my session #197

Notes:

• This information is needed prior to starting As an authenticated user that has been inactive for 30 minutes, I want to be notified to extend or end my session #197
• I am timeboxing this to 4 hours
• Not researching about how long the timeout should be. That will be part of a follow

Open Questions:

• How do you check for user inactivity from the FE?
  -- Found a good solution for React
• What needs to be sent to the BE in order to initiate a session timeout?
  • If React initiates, then sends a logout message to BE. If react does not initiate timeout, what happens? (Ryan to send Carl soemthing)

Findings

Backend
The backend will be the ultimate arbiter of session management. When the user logs in they will receive an HttpOnly cookie that is set to expire in 30 minutes. After that, with every interaction between the FE and BE, the BE will refresh the cookie, so it will extend the timeout time to another 30 minutes.

Frontend
The frontend will also have a timer that it will set when the user logs in. It will monitor user activity and reset every time a user interacts with the page. That means when a form field is filled out or changed, the FE timer will reset. Because this is not dependent on interactions with the BE, the FE will call the /v1/authorization-check endpoint whenever it resets the timer. This will serve to verify the user is still authenticated on the BE as well as refresh the cookie.

When the FE timer reaches 20 minutes (?) it will alert the user that the session will time out soon and give them the option to either extend the session or logout of the system. If the user chooses to extend the session, the FE will call the /v1/authorization-check endpoint to refresh the session. If the user elects to log out of the system it will call the /v1/logout endpoint to clear the session and log the user out of the system.

[lfrohlich]

This is done