Auto logout broken?

Hi folks,

I’m currently evaluating Gibbon v17 and I was wondering why auto logout doesn’t work anymore.

In v12 a window used to show up, warning the user, that the session is about to expire. The user could then either click “Logout Out Now” or “Stay Connected”. If ignored, the user was logged out a few minutes later.

Can you reproduce this in v17?

Kind regards,
Roman

Comments

  • Hi Roman,

    This is interesting, can’t say that I had noticed it working or not working recently :sweat_smile: I’m just off for CNY break this next week and don’t have a laptop with me (the sign of a good break!), I’ll check it out when I’m back.

    Thanks!
    meierromadmin
  • Hi Roman,

    I've looked into this and the auto-logout appears to be working as expected (tested v17 and v18). If you tend to use multiple tabs, what you could be seeing is the auto-logout box pops up in the background in a different tab, and when not clicked will end the session for all tabs (appearing to log you out without warning). At some point I may look at the script and make it more tab-friendly.

    Otherwise, it could be something specific to wamp or your system. One way to test it's working is to look for line 215 in index.php and add $sessionDuration = 10;. Then log out and back in, and you should see the popup every 10 seconds (just don't test this on production :lol:)
  • Hi Sandra,

    False alarm!

    I simply forgot that by default Gibbon is set to have a rather long sessionDuration of 20 minutes, which we significantly reduced in our hacked version for security reasons.

    Using your hint showed that it’s working perfectly.

    Sorry for that!

    Kind regards,
    Roman
    admin
  • Hi Roman, thanks for clarifying! To me 20 minutes seems like a reasonable session duration, but then at my school we don't share any computers, and so perhaps that is a factor in my thinking. Out of interest, what would you suggest a reasonable length of time to be? Thanks! Ross.
  • Hi Ross,

    We do have a few teachers using personal devices but most use shared computers in the computer lab, library, admin office or teachers room.

    Especially when we introduced Gibbon I noticed that security issue with teachers forgetting to logout. It has improved since.

    Anyway, I decided to set the session duration to 5 minutes. Maybe a lower value like 2 minutes would be even better.

    I think it would make sense to allow such changes in the settings though. Currently there is a minimal constraint, which doesn't make sense for our setup.

    Kind regards,
    Roman
  • @admin @meierrom Sounds like a fair use-case for shared computers. We could perhaps keep the default, but lower the minimum value validation in System Setting to 5 minutes?
    adminmeierrom
  • Hi @sandra ! I too have reduced the session time to 5 minutes as I have been getting 508 errors. (In case I upload a link to test etc and lots of students log in at a time). Is there a way to check/ensure that the session ends once a new webpage opens?

    Thanks in advance !
  • Hi flygye12,

    I don't believe so. The session timeout uses javascript to end the session on the client side, but this works only for inactive sessions and has limitations. If a user browses to another page then the javascript is no longer running and cannot end the session. If the computer or browser is put to sleep then often the javascript timeout won't trigger. I believe this feature is aimed more as a user-facing reminder than a true security measure, which is why it's client side.

    I think what may help in your case is a maximum cutoff built into the session on the server side. For example, you could add this to your index.php
    // Session Hard Limiter = session duration + 10 minutes
    $sessionLastActive = $session->get('sessionLastActive', null);
    $sessionHardLimit = $session->get('sessionDuration') + 600;
    if (!empty($sessionLastActive) && time() - $sessionLastActive > $sessionHardLimit ) {
        $URL = $session->get('absoluteURL').'/logout.php?timeout=true';
        header("Location: {$URL}");
        exit();
    }
    $session->set('sessionLastActive', time());

    As a note, this is a hard limit, so it should be longer than your session duration, to ensure users have a chance to see and respond to the pop-up before their session is ended.
    meierromflygye12
Sign In or Register to comment.