One important piece of managing user logins in any system is determining the maximum session timeout for users. ServiceNow allows administrators to set a global session timeout or allow users the option of having their session remembered and never logging the user out unless they log out themselves.
In some cases, you may need additional flexibility around these session timings. You might want to time users out of the system after a certain period of time even if they have the ‘Remember me’ checkbox checked. You might also want to evaluate the timeout based on specific user criteria. The base configuration doesn’t allow you to have this kind of flexibility, but you can introduce additional capabilities via a scheduled job script. This solution shows how you can force a session timeout even for users with the ‘Remember me’ checkbox selected.
This configuration can be accomplished in a few simple steps as shown below…
- Create a new system property to store the maximum number of hours of inactivity for ‘Remember me’ logins.
Storing the maximum number of hours in a system property will allow for the modification of the timeout without having to go in and modify the scheduled job script directly.
- Create a new scheduled job to automatically run a script.
The script queries the ‘Logged in Users’ [v_user_session] table for users who haven’t had an active transaction in the last ‘x’ number of hours based on the ‘glide.ui.remember_me_timeout’ property you set up above. If the condition is met, the user session is locked, logging them out of the system. This is based on the mechanism that ServiceNow has to allow admins to log users out of the system manually. Once logged out, the user will be redirected to a login screen upon their next attempted navigation within the system. This script can be further adjusted to calculate the timeout based on minutes or even look at individual user criteria as well.
Description: Log out ‘Remember me’ users after a certain amount of inactivity (in hours).
Value: 24 (or whatever you like)
Name: Force Maximum Inactivity Timeout (Remember me)
Repeat interval: 15 minutes
Run this script:
//Pulls number of hours from 'glide.ui.remember_me_timeout' property
var maxInactiveHours = gs.getProperty('glide.ui.remember_me_timeout');
var sess = new GlideRecord('v_user_session');
sess.addEncodedQuery('user!=guest^last_transaction_timeRELATIVELE@hour@ago@' + maxInactiveHours);
//Optionally test for user-specific criteria here. 'sess.user' contains the user_name so you can query on it.
sess.locked = true;
If you’ve done all of the above steps correctly, you should end up with a simple-to-maintain mechanism for controlling the duration of those ‘Remember me’ sessions automatically.
If the homepage has refresh option on , like after 10 mins refresh the page , would the above functionality still work?
No because any AJAX request/page refresh would perform queries and keep the session alive. If the user weren’t viewing that page though then it would work.
where can i find this option in the servicenow demo instance
I’m not sure exactly which option you’re referring to. If you’re in a ServiceNow demo instance though, you might not have the same ability to manipulate the configuration because they lock it down considerably there.
Hi Mark, very useful share! Thanks.
Although I think this set up will work only on single node instances because the v_user_session table only shows active users on the current node.
Simple change will be to create the schedule job (sys_trigger) and set the System ID field to All Nodes so that the job runs on every node.
Thanks Ahmed, that’s a great point!