By ec on
Guys,
In an extranet point of view I am looking for a session timeout to set up for every connected people (i.e When a user has been inactive for more than X minutes, its session ends) ? I don't find anything like that. Is there a way to do that ? is there something around the corner ?
I would find usefull to have something to set up, site wild, in the default settings.
Regards,
Eric
Comments
How do I "time out" an inactive user from a session?
Hi,
I see EC posted a comment with regard to session timeouts back in January 2005 and hasn't received any feedback, so I thought I'd post my support for an answer to this issue.
Probably 99% of the quality web sites that one logs into now have session timeouts that usually will require one to log back in after x minutes of inactivity. Because my Drupal-powered web site will have personally identifiable information, it needs a session timeout capability so that when a user logs in and then leaves the computer for whatever reason, my Drupal-powered web site would automatically log the user out after x minutes.
Perhaps Drupal has session timeout capability but I don't know where to look? I've searched various places here on the Drupal web site but haven't found any answers...
Thank you in advance for any assistance,
Walt
PHP sessions
Drupal depends on PHP for its sessions mostly, so you need to look in that direction. There is in fact a timeout setting in php.ini which you can modify through .htaccess.
The downside of this is that the user will lose whatever they were working on. If they were in the middle of a form, that data will be lost.
--
If you have a problem, please search before posting a question.
Session timeout based on "INactivity"
Steven,
Thank you so much for your helpful info and pointing me in a direction to possibly proceed.
Yes, the downside of automatically "timing out" someone due to their INactivity is a concern in that someone may be working on something and get "timed out", but that's what happens with Yahoo, my bank, etc. I will be sure to put something in the FAQ section of my web site that will explain users WILL be timed out after x minutes of INactivity.
I'm not familiar with php.ini or .htaccess but went ahead and took a look by opening the .htaccess file via my cpanel. Is that where you meant for me to look?
Below my signature is a part of the .htaccess file that I believe pertains to what you referred to in terms of "timeout setting" and I would like to know which line pertains to my being able to set a session timeout and, of course, what I would actually insert for a session timeout of, say, 60 minutes of INactivity. Of course, it's possible that what you referred to is NOT in the code I copied below so please feel free to let me know which code it actually is.
Thank you so much in advance,
Walt
# Overload PHP variables:
# If you are using Apache 2, you have to use
# instead of .
php_value register_globals 0
php_value track_vars 1
php_value short_open_tag 1
php_value magic_quotes_gpc 0
php_value magic_quotes_runtime 0
php_value magic_quotes_sybase 0
php_value arg_separator.output "&"
php_value session.cache_expire 200000
php_value session.gc_maxlifetime 200000
php_value session.cookie_lifetime 2000000
php_value session.auto_start 0
php_value session.save_handler user
php_value session.cache_limiter none
php_value allow_call_time_pass_reference On
Link that discusses session timeouts
My gosh, I think I'm dizzy from the info relating to setting session timeouts at this other link (http://drupal.org/node/2974) I found by doing an extensive search of session timeouts!
Of course, my vote would have been to add a checkbox or drop down option for admin to choose how long a user would remain logged in after said user remained INactive (for example, 60 minutes, 1 day, 2 weeks, etc.), but it looks like I'm forced to download patches and play with the code to make this work.
I still think a checkbox or drop down option for admin to choose how long a user would remain logged in should be just that - the decision of the admin. I hope someone will see the logic of this useful feature. Right now, it seems sporadic in that I can stay logged in for days at a time, while at other times (on the same machine) I'll be working on something while being logged in and all of a sudden, I get logged out. It's just very sporadic and I don't have the answers. At least if I as the admin could set the INactive time to then log folks out, I could have a better handle on what the actual INactive length of time should be before someone actually gets logged out. Then again, I see this as more of a security issue the admin should have direct control over than anything else.
Bottom line: I WANT to be able to timeout my users by selecting from a dropdown menu or checkbox the length of time to log out INactive folks WITHOUT having to mess with a bunch of code and/or patches.
Would anyone accept a six-pack to add that as a module? ;) I hear gentle bribery...oops, I mean, uh...encouragement can be very effective. :)
Cheers,
Walt
Simple cron based session timeout
Hi,
Here's a quick and dirty solution. It's not ideal but it might suffice for some people.
Create a file called sessiontimeout.module in your modules directory.
Put this in it:
Change the 600 to whatever you want the timeout to be in seconds (600 seconds = 10 min).
Activate the sessiontimeout module.
Increase the frequency of the cron job that calls cron.php (a ten minute timeout won't work very well with a 1 hour cron job).
Later I'll probably write one that doesn't use hook_cron, let me know if there's interest. Also let me know if this method is dumb and breaks anything.
Matthew
Do lines ending in 200000 limit session time?
Hi niosop,
Thanks for your reply! However, before I try your solution...
In my post above titled "Session timeout based on INactivity", do you know what the following code is for?
php_value session.cache_expire 200000
php_value session.gc_maxlifetime 200000
php_value session.cookie_lifetime 2000000
If someone could explain each of those lines of code, that would be greatly appreciated!
For example:
session.cache_expire means...
session.gc_maxlifetime means...
session.cookie_lifetime means...
I had asked about the code back in March of 2005 but no one ever responded. Specifically, do you know if one of the lines that ends in 200000 is what I could easily change to dictate session time? I don't know anything about PHP but if someone tells me one of those lines can be changed to limit a user's logged-in session times (to automatically log out the user), I can then proceed.
In advance, thank you!
-----
Walt Esquivel, MBA, MA, Captain - U.S. Marine Corps (Veteran)
President, Wellness Corps, LLC
-----
Drupal Users and Developers by Geographical Location
http://drupal.org/node/46659
session.cookie_lifetime
session.cookie_lifetime means...
How long you want the cookie to last in the user's browser (in seconds). Set to 0 to automatically logout when they close their browser.
session.cache_expire means...
not sure on that one. I assume it means how long pages with information available only to logged in users will reside in the browser's cache.
session.gc_maxlifetime means...
gc is garbage collection. I'm not exactly sure what it does, but when all of the sessions are stored in the same directory on the server (the default) on shared hosting, the person who sets the lowest value for this affects everyone's value. In other words, there's only one garbage collector for the server's session directory, so if someone else's scripts collect your garbage first then this value doesn't do much.
php.net's help on this stuff frankly sucks. cookie_lifetime seems like the most important one.
I set the values to:
to have users automatically logout when they close their browser.
-- Ben // profilefx.com
Not working with mozilla
Hi
I had also made the changes in setting.php . although the session is expiring in internet explorer
but i still has the problem with mozilla
If anybody has Idea over this issue , please reply
Thanks In advance
Sandeepkumar
Automated Logout
Didn't test it yet. But the Automated Logout module (http://drupal.org/node/64413) sounds like what you need.
Automated Logout is not working at all
Looks like Automated Logout module is not working at all. I've installed it on my drupal 6 but with no success on mozilla. I've tried different options but with no affect.
.
*bump*
Automated Logout Problem?
I tested automated logout, it works well. but after enabling this module you should configure its settings at
?q=admin/settings/autologout and change the default settings. By default session timeout is 30 minutes. For testing, its recommended to set the session timeout 60 seconds so that you can test the module and see its effect as soon.
Best Practice
Set Drupal-specific PHP settings using ini_set() function in your settings.php configuration file instead of directly in php.ini to avoid conflicts with your other PHP scripts and applications.
Having these settings in settings.php instead of .htaccess allows subsites to have different
settings and allows Drupal to modify the session settings on hosts running PHP as a CGI
(PHP directives in .htaccess don’t work in such a configuration).
How to implment this in Drupal 8?
Basically port this code of D7 to D8: