Session timeout when navigating between microservices

[adamliptrot-oc]

When a service hands off a journey temporarily to a microservice (such as Address Lookup), there is a possibility that even if the user remains active they can be timed out of the 'parent' service.

Currently a service only hands off a sign-out url to Address Lookup (and a timeout in seconds, normally 900). This means that even if the 'child' microservice has a timeout dialog and senses the user's inaction, the keep-alive url it pings will be that of the child microservice. As the timeout will be the same as the parent this means that if a user lingers long enough to trigger the timeout dialog on the child service, they will already have timed out of the parent service.

This can be alleviated by the child service also accepting the parent service's keep-alive url and pinging that in addtion to it's own.

It is likely that to fully fix this, the child service will need to ping the parent's keep-alive url on each page load in addition to when the dialog is shown.

This has been reported to the Address Lookup team, but other services will also need to be notified.

[adamliptrot-oc]

Address Lookup now takes in additional configuration values to allow the service to ping the host service's keepalive url as well as its own. https://github.com/hmrc/address-lookup-frontend#timeout-configuration-json-object-optional

[ashfaqhussain357]

Needs testing with micro service to confirm if this issue still exists. Query with platui