905 views

ServiceNow Mobile App Session Timeout

Overview

This discussion applies to the ServiceNow native mobile apps for iOS and Android. This does not apply to the ServiceNow mobile web experience or other mobile applications that integrate with ServiceNow.

What settings determine session timeouts in the native mobile apps?

The native mobile app's session is determined by the greater of all these settings:

  • The OAuth refresh token lifespan for the ServiceNow Mobile App record in the oauth_entity table (defined in seconds)
  • The OAuth access token lifespan for the ServiceNow Mobile App record in the oauth_entity table (defined in seconds)
  • The web session timeout defined by the glide.ui.session_timeout system property (defined in minutes)
  • The integration session timeout defined by the glide.integration.session_timeout system property (defined in minutes). If this property is not defined, it will default to 5 minutes in Helsinki and 1 minute in Istanbul.

Note: In order to validate changes to these settings are working, you must log out and back in to the ServiceNow Mobile app. This is a critical step that will ensure the app uses tokens and sessions with the updated lifespans instead of using previously granted tokens or sessions with different lifespans.

What determines session inactivity in the native mobile apps?

Sessions are considered active if the app is in the foreground or if the app is processing a long running task in the background.

Any of the following actions are considered "backgrounding" the app:

  • Explicitly sending the app to the background
  • Locking the screen or having the screen go to sleep
  • Switching to a different app

Any of the following states are considered "actively running":

  • The app is visible on the screen (in the foreground) and the screen is unlocked
  • The app is processing a long running task even if the app is in the background (such as uploading or downloading a large attachment)

How to validate session timeout settings are working in the native mobile apps?

In this example, we want the native mobile apps to log out after 30 minutes of inactivity.

Configure these settings on your instance:

  • Set the OAuth refresh token lifespan for the ServiceNow Mobile App record in the oauth_entity table to 1800 seconds
  • Set the OAuth access token lifespan for the ServiceNow Mobile App record in the oauth_entity table to 1800 seconds or less
  • Set the web session timeout defined by the glide.ui.session_timeout system property to 30 minutes or less
  • Ensure that the integration session timeout defined by the glide.integration.session_timeout system property is either not defined or set to 30 minutes or less. If this property is not defined, it will default to 5 minutes in Helsinki and 1 minute in Istanbul.

Test these timeout settings using the native mobile app:

  • Log out of your instance with the native mobile app. This is a critical step that will ensure the app uses tokens and sessions with the updated lifespans instead of using previously granted tokens or sessions with different lifespans.
  • Log in to your instance with the native mobile app
  • Send the app to the background (see "What determines session inactivity in the native mobile apps?" above)
  • Wait 30 to 35 minutes
  • Launch the app and notice that the user has been logged out

Article Information

Last Updated:2017-10-11 08:26:27
Published:2017-04-18