Request for an out of the box configuration setting for when sessions are fully expired
Request for an out of the box configuration setting for when sessions are fully expired:
• Session Expiration and let the client decide if they would like to redirect to Session Expired Page, or use Overlay with Session Expired Modal on same page.
• In this setting we could also provide additional sub-setting with ability to enable a session expiration warning (admin can set the number of minutes)
Incomplete Client-Side Inactivity Timeout: We have two different issues with this vulnerability,
• If a customer steps away from their system without an automatic logout after a period of inactivity, there is a risk that others may access sensitive information. (They can’t take any action, however they can see all the information on that current page)
• Customers believe they are still logged in while attempting to check out or submit orders, only to find themselves logged out unexpectedly. This can be frustrating for them.
This issue was raised as a security vulnerability by security audit team and it’s also customer experience issue (they are not aware of session expiration). This is already in your tracker but it’s mentioned as “Working as Designed.” but it’s a security issue. Please consider this as a security fix.
Incomplete Client-Side Inactivity Timeout Low When a user’s session expires, their active window is not redirected to a timeout or login page. Any information on the page remains exposed. Working as Designed. This is currently designed behavior on Storefront, any action on a website after session timeout will redirect user to SignIn page.
Vijayakumar Subramaniyan
shared this idea
-
Currently this can be handled at the project level with a customization made by implementation partner.
Although we cannot guarantee a release date, we will will include this in our roadmap discussions for future roadmap inclusion.
As part of an initial review we will be hoping to incorporate an out of the box setting for when sessions are fully expired with the following considerations:
- Session Expiration and let the client decide if they would like to redirect to Session Expired Page, or use Overlay with Session Expired Modal on same page.
- In this setting we could also provide additional sub-setting with ability to enable a session expiration warning (admin can set the number of minutes)If there are additional considerations we should keep in mind please continue to add feedback.
-
Jeff Sleik
commented
Per PCI compliance, eCommerce websites must log the user out after a specified period of time of inactivity. However, when B2B Cloud does this, it only logs the user out in the background, leading users to believe they are still logged in.
This can cause frustrating/confusion when a user moves forward in a checkout or other "logged in" activity, and is suddenly logged out.
Would be great for B2B Cloud to provide some sort of alert or notification to let the user know they they were logged out due to inactivity. This would help improve this part of the user experience. -
Dean E. Krout
commented
Web Users are logged out with no warning. Their pricing changes to Guest pricing and they loose access to some of our products.
I sure would like to see a window that says "You were Signed off" with the option to single click to sign back in and continue.
Or something equally user friendly. Support #77711
