This article describes how we administrators can disable the auth-keepalive page and still be able to provide users with a logout option.

When a user is authenticated successfully, The default behaviour is FortiGate will redirect the user to the original page.

Users cannot log out by themselves in that case.

Administrators can enable the 'auth-keepalive option to open a keepalive page after the user is authenticated.

The keepalive page periodically refreshes the user's timeout period and should not be closed.

The user needs to open a new browser window for original page access.

This can be configured here:

# config system global
    set auth-keepalive enable
end

Chrome version 88 introduced a change in how background tabs are handled.
In particular, they will be throttled, causing any scripts running on them to be executed much more slowly: https://developer.chrome.com/blog/timer-throttling-in-chrome-88/

The keepalive page FortiGate provides for authentication consists of a javascript that triggers a burst of traffic to the FortiGate to keep the connection up and running.

With the change in Chrome, this script becomes too slow and the FortiGate recognizes that a keepalive message is missing.

It will remove the user from authentication. 

The user will need to authenticate again on the next connection attempt, triggering the redirect to the authentication portal.

For a few environments the logout option is important as logging out a user manually will not be possible every time.

So below settings is applied to make things work.

First, the admin has to disable the keepalive page in the FortiGate. 

Scenario 1:
If the captive portal is enabled on the interface like below:

# config system interface
    edit "port2"
        set security-mode captive-portal
        set security-groups "User Group"
    next
end

Then, it is possible to add the redirection on the same setting:

# config system interface
    edit "port2"
        set security-redirect-url "http://FGTLANIP:1000/portal?"
end

Scenario 2:
If the authentication portal is enabled in a firewall policy, instead of a LAN interface like below:

# config firewall policy
    edit 1
        set name "Internet"
        set nat enable
        set groups "User Group"
    next
end

Then, it is possible to add the redirection like below:

# config firewall policy
    edit 1
        set redirect-url "http://FGTLANIP:1000/portal?"
    next
end

Tips.

The '?' symbol cannot be copy-pasted as its primary purpose is to show the next options in the CLI. 

To enter the symbol, take SSH access of the FortiGate using Putty (not from GUI) and the Press Ctrl+V and then the '?'. 

The key should be entered quickly as it allows only a second or two to enter it.

Note.

It is possible to use port 1003 if the HTTPS redirect is enabled in the user setting. 

With the keepalive disabled, FortiGate will instead apply configured timeouts. 

The default configuration is an idle timeout of five minutes; if the FortiGate did not receive any traffic from the user in the last five minutes, the user is de-authenticated.

This can require re-authentication after a coffee or lunch break, for example.