Open Closed

AbpUserTokens with 1 year expiration are created on each admin login #9141


0
tom.ohle created

This behavior is exhibited by a brand new instance of a 8.7.0 ASP.NET Core & Angular project.

Is this expected behavior?

The login performance for the admin user gets worse and worse as the number of records grows in this table.

Also, we noticed the performance degredation after upgrading from 7.3.1 to 8.7.0 in our development environment, which had over 10,000 records for the admin user in AbpUserTokens table.


9 Answer(s)
  • 0
    maliming created
    Support Team

    hi

    https://aspnetboilerplate.com/Pages/Documents/Background-Jobs-And-Workers?#user-token-removal-period

    User token removal period

    ABP Framework defines a background worker named UserTokenExpirationWorker which cleans the records in table AbpUserTokens. If you disable background job execution, this worker will not run. By default, UserTokenExpirationWorker runs every one hour. If you want to change this period, you can configure it like below:

    public class MyProjectWebModule : AbpModule
    {
        public override void PreInitialize()
        {
            Configuration.BackgroundJobs.CleanUserTokenPeriod = 1 * 60 * 60 * 1000; // 1 hour
        }
    
        //...
    }
    
  • 0
    tom.ohle created

    Hi maliming,

    Thanks for the quick response! I have couple of questions though.

    • Why is a new 1 year token created every time the admin user logs in? Why are the old 1 year tokens not deleted automatically when the admin user logs in?

    • Is this the definition of the UserTokenExpirationWorker? It appears to only delete tokens that have expired. Am I missing something that explains how the 1 year tokens are supposed to be cleaned up?

  • 1
    aaron created
    Support Team
    • Why is a new 1 year token created every time the admin user logs in? Why are the old 1 year tokens not deleted automatically when the admin user logs in?

    A user can log in from multiple devices and browsers. The token for a session is deleted when the user logs out properly via the API.

    • Is this the definition of the UserTokenExpirationWorker? It appears to only delete tokens that have expired. Am I missing something that explains how the 1 year tokens are supposed to be cleaned up?

    Yes. Only expired tokens are cleaned up.

  • 0
    tom.ohle created

    Hey aaron,

    To mitigate this issue, do you see any red flags with setting the expiration to 7 days instead of 1 year?

    public class MyProjectWebCoreModule : AbpModule
    {
        public override void PreInitialize()
        {
            Configuration.BackgroundJobs.UserTokenExpirationPeriod = TimeSpan.FromDays(7);
        }
    }
    
  • 0
    musa.demir created
    Support Team

    Hi @tom.ohle

    You can use any expiration period you want, it depends on your requirements. You can change https://github.com/aspnetzero/aspnet-zero-core/blob/50a941ddd3eac7fd1a50b63a4d8d066def55c189/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Application.Shared/AppConsts.cs#L49-L50 and use any period you want.

    We will also check whether cleaning the tokens after user logouts works as expected. I created an issue about it: https://github.com/aspnetzero/aspnet-zero-core/issues/3368

    Thanks.

  • 0
    tom.ohle created

    Hi @musa.demir,

    It seems the issue you created no longer exists.

  • 0
    musa.demir created
    Support Team

    It still exists. Can you please check you have permission to see https://github.com/aspnetzero/aspnet-zero-core

  • 0
    tom.ohle created

    Yes, you are right. I wasn't logged in at the time when I checked. My mistake!

  • 0
    ismcagdas created
    Support Team