Admin User Logout due to Inactivity

This feature allows to automatically logout admin users after a set amount of minutes has passed.

This helps conform to the HIPAA Access Control Techinical Safeguard AUTOMATIC LOGOFF (A) -ยง 164.312(a)(2)(iii):

"Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity."

As a best practice, admin users should be trained to log off the system when they have completed their work or their workstation is unattended. In case they forget to log off, an automatic logoff due to inactivity is an effective way to prevent unauthorized access to data.

Enable Automatic Logout

Selection_1001inactivity.jpg

On the Settings page, navigate to the 'HIPAA' section and select 'Yes' under the label that says " HIPAA- disable remember me and auto logout after set interval. If set to 'Yes', this will also disable the "Magic Links" feature if enabled."

Then, in the text input box below type in the number of minutes that you admin users automatically logged out after.

Functionality

Upon login and with each pageview/action an admin user takes, a timestamp is refreshed that is used to see how long in between pageviews/actions it has been. If the amount of time exceeds the number of minutes allowed for inactivity the following happens:

  • the admin user will be automatically logged out
  • their session will end
  • they'll be taken to the 'logout' page on the front of the website
  • a message will be displayed that they have been automatically logged out

Selection_1002logauto.jpg

For the admin user interface, we also keep a seperate timer to help warn the admin user if they are approaching an automatic logout. When the countdown timer reaches 60 seconds left, a popup modal is displayed that prompts the user to refresh the page to stay logged in.

If they do not refresh the page, the page will automatically call back to the server, where the server-side timer is checked to confirm if they should be logged out or not.

Behaviours

If enabled, this feature automatically disables and prevents the "Remember Me" function in the login process, and it also disables the Magic Link feature.