Logout when WebSocket connection is closed

Hi,

I am currently trying to use the authentication functionality supported by bokeh (following this example: bokeh/examples/howto/server_auth at main · bokeh/bokeh · GitHub) to limit the access to my application. The authentication itself works great and I am now wondering if it is possible to logout the user when the websocket connection is closed or at the press of a button from the application itself?

I was not able to find a working solution for my problem until now and am grateful to any pointers in the correct direction!

Thank you!

1 Like

@nicole

Check out the lifecycle hooks available to bokeh server, which are described in the User’s Guide here.

The on_session_destroyed() function will be invoked when a particular user session ends. Note that the session does not end immediately on websocket connection closure.

There are bokeh parameters unused-session-lifetime and check-unused-sessions which are configurable at server instantiation. See Session Expiration Options section of the bokeh Reference document here.

These parameters work together to govern how long after a session expires and cleanup actions occur.

The lifecycle mechanism might be workable for you if you want the cleanup to happen automatically assuming you are okay with some delay between websocket closure or other session expiration event and the actual cleanup.

Alternatively – to your second option – the example you link in the issue description does have a logout route tied to a button based on a perusal of the code. Is that not working to your expectations or is something more needed? (Caveat: I use different authentication methods in my hosted apps so don’t have direct experience with the ones in the example.)

1 Like

I agree with @_jm and think on_session_destroyed is a good place to start and see if it satisfies your needs. If not then the next good step would be open a GitHub development discussion and describe what you want to be able to do, but can’t, in substantially more detail (does your logout need to invoke code in Python? in the browser?)

1 Like

Thank you both for your fast replies! I read (and tested) the on_session_destroyed functionality, however as @_jm stated, this detects the session closure and not the closure of the websocket connection and was looking for a way on how to detect the closure without needing to end the session.

Using a button is a workaround which I overlooked in the example, sorry for that!

Just to follow-up on a bit of terminology here in case it is relevant to your desired implementation.

A session is conceptually a client’s connection to the server with its own document and segregated data. So, this doesn’t mean that the server is being shut down or stopped for this to be invoked. It simply means the user for that session has ended their interaction via the websocket being terminated or whatever.

The on_session_destroyed() function is invoked when a no-longer-used client session is destroyed, and a websocket connection closure could be one of the reasons that such a session is unused. That function does not actively do anything to end the session, it just reacts to the case where the session is ended.

If the websocket closes (for any reason), the associated session will be terminated and deleted, full stop. There just may be a delay between those two events, as the session cleanup job happens periodically.