session timeout for mobile signing/login

Hi Cindy, From my own test in SaaS environment, when session get expired in Mobile Signing Ceremony, there's no pop-up visually indicates that the session get expired, but when I tried to click any signature/accept button, the page was lead to the URL that has been pre-set in my account resource "logout.config". So per your question, (1)are you developing in on-prem or SaaS environment, and what's the version of it? (2)When you said it's not working in Mobile Signing, did you observe the same behavior as I did? (3)Could you clarify the "sender login" a little bit? If you were referring to the web portal login page, because there's no session(cookie header) granted to browser before logging in, so that page won't get expired. Duo

Hi Duo, I tested in sandbox version which is 11.30, and our on prem version v11.25, for mobile signing ceremony, after 30 min, I am still able to click any signature box. 'Sender login' means when sender log in his/her own account to view all the activities such as search for packages etc. in the desktop version, session time out is working, but in mobile version, it doesn't expire. Thanks, Cindy

Hi Cindy, I will perform more tests in Sandbox to see whether I can reproduce the issue on mobile. If you are testing on the expiry function, I would suggest to set your account's session expiry timeout to 1 min, by emailing our support([email protected]) or setting up in your on-prem environment, to make it easier to identify the issue. (in "settings.properties", set "esl.login.session.timeout" : "60000" ) Duo

Hi Duo, I found that the session got timeout in mobile. I tested my account in sandbox, right now, in desktop, when signer session timeout, it redirect to login page. I saw some error page before like 'Unauthorized Access" , how to get that page? In our on-prem version, signer session time out, I got page as "access denied", is it possible to change the message showed in the page? in logout. config "signerExpiryRedirect" :"https://dev.esl.cibc.com/error?error=eyJjb2RlIjo0MDEsIm1lc3NhZ2VLZXkiOiJlcnJvci51bmF1dGhvcmlzZWQuaW5jb3JyZWN0QXV0aGVudGljYXRpb25Ub2tlbiIsIm1lc3NhZ2UiOiJJbmNvcnJlY3QgQXV0aGVudGljYXRpb24gVG9rZW4uIFBsZWFzZSB2ZXJpZnkgeW91ciB0b2tlbiBhbmQgcmVzdWJtaXQuIiwibmFtZSI6IlVuYXV0aG9yaXplZCBBY2Nlc3MifQ==" ‘ {"code":401,"messageKey":"error.unauthorised.incorrectAuthenticationToken","message":"Incorrect Authentication Token. Please verify your token and resubmit.","name":"Unauthorized Access"}

Hi Cindy, I'd like to answer the second question first, there're two types of error pages in OneSpan Sign, see below: The left one returns HTML directly from OSS backend, and the URL was sender/package related, so the backend knows which sender's UI customization will be applied. The right page content refers to the decoded error token in URL, and because there's no information indicating which sender this error page belongs to, it's just a general page which can't be customized. However, in the signer/sender session expiry scenario, because you have the capability to choose the redirect page per account, you can download, customize and host this error page in your own domain instead of utilizing the OneSpan Sign general error page. For the first question, in SaaS environment, your account also has the same resource "logout.config", you can either use the general error page like below, or you can point to a resource within your domain.

https://sandbox.esignlive.com/error?error=eyJjb2RlIjo0MDEsIm1lc3NhZ2VLZXkiOiJlcnJvci51bmF1dGhvcmlzZWQuaW5jb3JyZWN0QXV0aGVudGljYXRpb25Ub2tlbiIsIm1lc3NhZ2UiOiJJbmNvcnJlY3QgQXV0aGVudGljYXRpb24gVG9rZW4uIFBsZWFzZSB2ZXJpZnkgeW91ciB0b2tlbiBhbmQgcmVzdWJtaXQuIiwibmFtZSI6IlVuYXV0aG9yaXplZCBBY2Nlc3MifQ==

Duo

thanks for the information, for general redirect URL, my another test case is multi-use token, if user uses the same token again, it will redirect to encoded URL, and showing the same message as expired one. Since message key is different, why the page showing the same content? do you mean this is the only page hosted in Onespan? and I can't change the wording in the general page? error=eyJjb2RlIjo0MDEsIm1lc3NhZ2VLZXkiOiJlcnJvci51bmF1dGhvcmlzZWQuaW5jb3JyZWN0QXV0aGVudGljYXRpb25Ub2tlbiIsIm1lc3NhZ2UiOiJJbmNvcnJlY3QgQXV0aGVudGljYXRpb24gVG9rZW4uIFBsZWFzZSB2ZXJpZnkgeW91ciB0b2tlbiBhbmQgcmVzdWJtaXQuIiwibmFtZSI6IlVuYXV0aG9yaXplZCBBY2Nlc3MifQ==" {"code":401,"messageKey":"error.unauthorised.incorrectAuthenticationToken","message":"Incorrect Authentication Token. Please verify your token and resubmit.","name":"Unauthorized Access"} thanks, Cindy

Hi Cindy, After some investigation, I got more information for you: The general error page is determined by two parameters in decoded JSON: code and message Key. But the UI label be displayed for each code and message key is configured at environment level, which can't be changed in SaaS (but you can change it in on-prem env) For example, if you encode this error message {"code":401,"messageKey":"error.unauthorised.sessionExpired"} and hit this link, you will see the different there:

https://sandbox.esignlive.com/error?error=eyJjb2RlIjo0MDEsIm1lc3NhZ2VLZXkiOiJlcnJvci51bmF1dGhvcmlzZWQuc2Vzc2lvbkV4cGlyZWQifQ==

So if you think this message key is more proper, you can modify your expiry redirect URL with this error code. And if you want, I can send you an email with the whole list of error codes and message keys together with their default values. Duo

thanks. 1) could you send me the list of all the message key 2) the reason I am asking is the content of redirect page, why it's different messagekey but it shows the same content in the page? is there anyway we can change the content of page?

Hi Duo,

while I opened this topic a while ago, but I still have question for mobile signing session timeout, in the mobile device, when signer gets session timeout, it doesn't go to the page i setup for "signerExpiryRedirect, but it goes to the page as attachment, do you know why it happened? 

BTW, for desktop, when signer session timeout, it goes to "signerExpiryRedirect" page which I setup

 

 

Also After session timeout: my iphone stopped at URL is https://dev.esl.cibc.com/msc/expired?isAdaSwitchedOn=false

But I set the Signer redirect URL: https://dev.esl.cibc.com/error?error=eyJjb2RlIjo0MDEsIm1lc3NhZ2VLZXkiOiJlcnJvci51bmF1dGhvcmlzZWQuc2Vzc2lvbkV4cGlyZWQifQ==

Even I disabled “prevent cross-site tracking’ and ‘block all cookies’ based on the suggestion in the page

 

Any idea?

Hi Cindy,

 

This is a general session expiry url "/msc/expired", so shouldn't be related to third-party cookie settings. On top of that, I did a quick test with an iPhone on SaaS environment v11.40, and the signing ceremony successfully redirected to the URL I specified in backoffice. So I am wondering if it's caused by your phone cache, or your mobile signing ceremony redirection rules.

Can you try with an Android phone, or another iPhone device, or potentially clear the browser cache (only if you are comfortable with) by following:

Settings > Safari > Clear History and Website Data

Or, could you try with my test link, wait a min (my account session expires in 60 secs) and see if the redirection works (should redirect to Google home page)?

https://preview.esignlive.com/auth?target=https%3A%2F%2Fpreview.esignlive.com%2Ftransaction%2Fhaf0fXpfXkFqmx3z6VijNAbT41c%3D%2Fsign&loginToken=V1RLQ0JyT1d2U2lLWElxa1ZqRXhPYTBHanJYeFdselhKZ0FJUjIvanRmVURHY1F6RkIyWjJNbHZBSDFCMHIwOWNGc0xyak96SHNrdTZJM1hMdDNKL05EZmpUWGJ4WkNyeVBwVkV5N2VrSytzNkxBaXZDZUFBTmJTcUVDWFRURExUakZ2VTAxcWJqQXdibFprVGswMlR6RjNUamhWZG0xMllrOTRlVlZRWmxoRk16azJVRXhaY1dOdlRVNXROVUpGTlROYWJGUmlSbFZwVFdrMFZuUkJaRldjc0pSQXlwOW9uQ01nNUJnVXBLbHJxQ0o2b0JpalNnMlZrZXBLSkhHdw%3D%3D

BTW, you mentioned above that mobile expiry redirection used to work on your mobile, is this something failed recently?

 

Duo

 

Hi Duo

I tried Saas as well, and works fine. not sure this issue is only for our v11.25 version or the redirection rule in vhost file. I will check it out. As you mentioned that this is general session expiry url "/msc/expired", where was to be used? 

 

thanks,

Cindy