Question
United health group
IN
Last activity: 5 Oct 2015 5:38 EDT
Session Log off upon browser close
Hi Team,
Can you tell me how can I log off a operator session if he closes the browser without clicking logoff.
Pegasystems Inc.
IN
Hi
When a user clicks the Log off link on a portal window, Process Commander runs a JavaScript function that starts the standard activity Code-Security.LogOff.
This activity releases all locks, all clipboard pages, and other resources held by the requestor, and displays the standard HTML rule @baseclass.Web-Session-Return.
In contrast, users who exit by closing the browser window do not cause this activity to run. Locks and clipboard are retained until the session times out; this can interfere with the ability of other users to update work objects, assignments, or rules locked by that user.
As per the following PRPC Help documentation, I can confirm that it is not possible to invoke PRPC Operator logoff processing when the user closes the browser session via the “X” close icon
Refer the help article here :
Hi
When a user clicks the Log off link on a portal window, Process Commander runs a JavaScript function that starts the standard activity Code-Security.LogOff.
This activity releases all locks, all clipboard pages, and other resources held by the requestor, and displays the standard HTML rule @baseclass.Web-Session-Return.
In contrast, users who exit by closing the browser window do not cause this activity to run. Locks and clipboard are retained until the session times out; this can interfere with the ability of other users to update work objects, assignments, or rules locked by that user.
As per the following PRPC Help documentation, I can confirm that it is not possible to invoke PRPC Operator logoff processing when the user closes the browser session via the “X” close icon
Refer the help article here :
https://community.pega.com/sites/default/files/help_v719/procomhelpmain.htm
Pegasystems
US
Regarding this part:
>>> You cannot prohibit or detect this in your application. Closing the browser window is not detectable by a JavaScript event or function. Microsoft — possibly by design — provides no event for this;
Is that true as well for non-ms browsers such as firefox and chrome ? Or do these browsers have a way to detect the closure of the browser window that the ms ie browser does not ? Or is it that since even these browsers are running on an ms operating system (windows 7), they are still restricted by that operating system to have no way of detecting the closure of the browser window ? /Eric
Pegasystems
US
The statement "Closing the browser window is not detectable" from the document is false. The 'beforeunload' event is supported since jQuery 1.4. See this example: Refresh a page in jQuery
Pegasystems Inc.
US
You can indeed register for event (onunload/ onbeforeunload) that will be called when the document is unloaded but there is no event sent when closing your browser - In Designer Studio or in an iframe dynamic container, every tab is its own document so you will get an unload event when closing a tab in the DC. Also if you have a secondary portal, closing the tab in your browser for the secondary portal will also trigger an unload but you do not have anyway to know if this is a secondary / primary portal
While you can leverage such event, you will need to validate that the document receiving the unload event is the main document of the primary portal (e.g the top level harness)
Pegasystems Inc.
US
To follow up on what Richard said, I've worked with customers to try and solve this problem in the past with onBeforeUnload. The problem is that, even if you position it in your harness so that you don't unload as you navigate or do other regular work, a browser refresh will fire the event, resulting in logging the user out. You're better off training your users not to close the browser window before logging out and tuning the server side timeouts so that the users who ignore the training don't significantly impact your servers.
United health group
IN
But when the browser is closed after some time the session times out so based on that time out I have to log a message for security tracking.
Can you please clarify me how can I trigger anm activity upon session timeout
Pegasystems Inc.
US
The only approach that I can think of is that you use a custom authentication and implement the timeout activity - see https://pdn.pega.com/documents/authentication-in-pegarules-process-commander-prpcv52 - page 95 for timeout activities
Updated: 22 Sep 2015 12:54 EDT
Pegasystems Inc.
US
Quick Note on Timeout Activites:
Timeout activities defined in a Data-Admin-AuthService only run when an incoming request hits a requestor that has timed out. Timed out is when the Data-Admin-AuthService is using Pega-Rules timeout, custom tab, and the Accessgroup has a timeout value larger than 0. The requestor is set to "timed out" but nothing gets fired automatically in the background.
Window Hard Close event processing:
The basic answer to this is that you can't configure any JavaScript to really run correctly when closing a browser window or tab and have it call back to the server. This is actually by design and you can run scripts based on mouse position etc and get the code to run only when clicking "x" from tab or main browser window but Chrome and Firefox will actually block AJAX requests from client to server onbeforeunload and unload events. (There is some chatter that it will not block synchronous calls but i don't see them working)
IMPORTANT WARNING:
Quick Note on Timeout Activites:
Timeout activities defined in a Data-Admin-AuthService only run when an incoming request hits a requestor that has timed out. Timed out is when the Data-Admin-AuthService is using Pega-Rules timeout, custom tab, and the Accessgroup has a timeout value larger than 0. The requestor is set to "timed out" but nothing gets fired automatically in the background.
Window Hard Close event processing:
The basic answer to this is that you can't configure any JavaScript to really run correctly when closing a browser window or tab and have it call back to the server. This is actually by design and you can run scripts based on mouse position etc and get the code to run only when clicking "x" from tab or main browser window but Chrome and Firefox will actually block AJAX requests from client to server onbeforeunload and unload events. (There is some chatter that it will not block synchronous calls but i don't see them working)
IMPORTANT WARNING:
Basically what you want to do is a bad idea anyway. Why? Each HTTP request requires a response. There is no real send and forget in HTTP. You will try a GET or POST and each returns a response. The browser window is closing though so where will the response go? The applicaiton has to send you a response and it's going to. So really this should be a sycnhronous request... but on any type of unload event that is also a bad idea. What if the server is down? What if the client went out of WIFI range? The window won't close until it gets a response so now you have to configure a really small timeout. It just ends up being a really unreliable process that will cause extreme frustration.
Over the years in my support role been asked to attempt this . I have been somewhat successfull with IE but with Chrome and Firefox there are lots of issues:
Sample Code: (tested outside of PRPC just to see if it could be done)
-------------------------------------
<!DOCTYPE html>
<html>
<script>
window.addEventListener("beforeunload", CallAppCloseWindow, false);
function CallAppCloseWindow(e)
{
var evtobj=window.event? event : e;
var isWindowHardClose = false;
if (evtobj == e)
{
//Chrome/Firefox wont populate clientY when outside client window - no negatives maybe or beforeunload has no clientY? So really in Chrome and firefox i can't tell if the end user event was from outside of the client area and if the event is coming from closing using the "x". I have tried pageY etc ... just put a break point here....nothing to determine if the request should really be fired.
if (!evtobj.clientY) {
isWindowHardClose = true;
}
}
else {
//IE - will populate clientY with a negative value.
if (evtobj.clientY < 0){
isWindowHardClose = true;
}
}
if (isWindowHardClose) {
//this fires fine in IE but not in Chrome and Firefox - debugger shows "aborted" on the send.
var oXmlHttp = new XMLHttpRequest();
//this is a synchronous call .. not good without a handler and a timeout timer.
oXmlHttp.open("GET", "http:// Proprietary information hidden/foo.html", false);
oXmlHttp.send();
}
}
</script>
<body>
<h2>OnBeforeUnloadTesting</h2>
</body>
</html>
------------------------------
United health group
IN
Hi Kris,
Can you please tell me which activity or Rule in pega does this session time out action.
I want to customize it.
Thanks in advance
Pegasystems Inc.
US
I already replied to this question - timeout activity are specified as part of custom authentication (see Data-Admin-AuthService rule)- see see https://pdn.pega.com/documents/authentication-in-pegarules-process-commander-prpcv52 - page 95 for timeout activities
United health group
IN
Hi Richard,
Thank you for the information that you shared. It was good.
In my application we are using Siteminder for authentication ,So session time out is being maintained at server level in prweb or prconfig.xml files .(Please correct me if I am wrong)
In this case which default activity or rule kills my session could you please suggest.
United health group
IN
I am using Site minder and in the Auth service rule we have authentication timeout acticity which if left empty in my application.
So In this case Will the requestor time out mentioned in configuration files will trigger ?
If yes Please suggest me how to log when the requestor timeout happens.