Understanding B2C Web App Session Timeout

Question

Understanding B2C Web App Session Timeout

hampton123 1,175

I'm new to Azure AD B2C and looking through the settings for my user flow (sign in only), I saw the setting for Web app session timeout. Can someone explain the difference between Absolute and Rolling settings? Does Absolute mean the token is completely invalid once the Web app session lifetime is up, and does Rolling means the Web app session lifetime refreshes each time the user performs an action involving the token?

Here's the documentation I was reading, although it talks about it there I just wanted to be 100% sure this was the case. Azure AD B2C session behavior.

Accepted answer

0 additional answers

Your answer

Answer 1

@hampton123

Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for difference in behavior of Absolute and Rolling settings in Web app session timeout.

Please do correct me if this is not the case by responding in the comments section.

Rolling session:

When the session behavior is set to "Rolling", the session is extended every time the user performs a cookie-based authentication1. This means that the session timeout is reset every time the user interacts with the application, such as clicking a button or navigating to a different page. As long as the user is active in the application, the session will not expire.

For example, if the session lifetime is set to 30 minutes and the user performs a cookie-based authentication at 12:00 PM, the session timeout will be reset to 30 minutes1. If the user interacts with the application at 12:10 PM, the session timeout will be reset to 30 minutes again. If the user remains active in the application, the session will not expire1.

The "Rolling" session behavior provides a better user experience because the user is not prompted to sign in again as long as they are active in the application. However, it also means that the session can potentially last longer than the session lifetime setting if the user remains active in the application.

Absolute Session:

However "Absolute" session behavior provides a more secure user experience because the user is forced to re-authenticate after a fixed time period, regardless of whether they are active in the application or not. However, it can also be less convenient for the user because they may be prompted to sign in again even if they are still active in the application.

For example, if the session lifetime is set to 30 minutes and the user performs a cookie-based authentication at 12:00 PM, the session will expire at 12:30 PM, regardless of whether the user is active in the application or not. If the user interacts with the application at 12:10 PM, the session timeout will not be reset. If the user remains inactive in the application, the session will expire after 30 minutes.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

hampton123 1,175 Reputation points

2023-08-21T12:31:37.98+00:00

Thank you Akshay-MSFT! Your example makes perfect sense.
twilson 20 Reputation points

2024-01-22T22:46:05.3366667+00:00

@Akshay-MSFT Your description of the differences between "absolute" and "rolling" are exactly what I would expect, however, it is not what I am observing. It seems in my case for some reason, the session is always behaving as "rolling", however, I have a requirement to implement at fixed session that forces the user to re-login regardless of whether they are active or not.

For my testing, I have the "Access/ID token lifetime" set to 5 minutes, the "Refresh Token lifetime" set to 1 day, the "Web app session lifetime" set to 15 minutes and the "Web app session timeout" set to Absolute. We are using a standard sign up/sign in flow and have a web application that utilizes the oauth2-proxy middleware component to talk to B2C. In my testing, if I log in at time x minutes, and subsequently interact with the application at say x+10 minutes (which triggers a refresh token exchange with B2C), then I am still able to obtain refresh tokens past x+15 minutes. I only receive an error obtaining the refresh token if I do nothing on my application that triggers a refresh token exchange for 15 minutes (i.e. it seems to behave as a rolling session). Any ideas of why I am seeing this behavior and what I can do to force an absolute session?
AdamKozmic-7665 60 Reputation points

2024-10-28T18:19:47.2433333+00:00

@Akshay-MSFT

What constitutes "remains active in the application?" Does that only count on B2C authentication requests?

I ask because after login, the user is redirected back to our single-page-application, at which point our "session" is effectively the accessToken/refreshToken combination after a successful OAuth exchange. Does refreshing the accessToken extend the session on the B2C side? I have a feeling the answer is no because I don't know how it could, but otherwise I'm not sure how/when the user would ever "interact with" the B2C cookie.

In theory since the refresh token is good for 24 hours, we should be able to keep getting tokens throughout the lifetime of a 24 hour rolling session, and then I guess we could route to sign-in without a prompt parameter periodically. That should bounce right back to us as silent login because the user's session is still active, at which point the session would extend? Does that sound like what MS would recommend for handling it?

Thanks

-Adam

Share via

Understanding B2C Web App Session Timeout

0 additional answers

Your answer