Open up conf/_advanced.php and you can set the time it takes the cookie to expire.

Some may call this a security flaw, while other call it a feature. I don't use any computers that don't save my preferences behind a password (such as logging on to my college network or my XP machines at home), so I find the cookie lasting one year is pretty useful.

Graham wrote:

Open up conf/_advanced.php and you can set the time it takes the cookie to expire.

Thanks, it works :)
It's really easy, but a bit hidden :roll: It would be a good idea to include this in the backoffice, to allow newby users change it.

Graham wrote:

Some may call this a security flaw, while other call it a feature. I don't use any computers that don't save my preferences behind a password (such as logging on to my college network or my XP machines at home), so I find the cookie lasting one year is pretty useful.

It's a way of thinking... I prefer to set more security by default in the system and then, if the user believes it's ok and by his own responsability :>, let him change the cookie expiration time.
And I dont'n like to leave cookies anywhere I roam :p

A "Public PC - log me out when done" option on login would be cool.

Well, I have to agree with Txisko. And I think that there are serious security issues that probably most of us, newbies aren?t aware of? until we bump nastly into them.

I have been told by one user on my site that if she goes away without login off and then comes back a couple of hours later after restarting her browser and even the computer, she lands right in the middle of her old session. That is a security bomb! My site is a small private one for only a handful of friends. There are discussions there that are rather personal. We don?t want co-workers ore other walking into her computer and reading this private stuff.

Of course, of course? she should log off every time. But many people once in a while forget to do this and absent-mindedly turn off the browser with the session still active. Any other program I know of (such as phpBB) would immediately disconnect the user and prompt for the user/password when reconnecting.

I am also rather surprised that in order to control cookie behaviour I need to edit one of the config files ? I agree it ought to be an option configurable from the back-office (and maybe stored in the mysql database). And more importantly, I think that the default should be the strictest security settings, not the more relaxed ones!!!

Anyway, as a newbie I need some help to figure this one out. I went to conf/_advanced.php file and found two settings there. I set the first value to logout the user after 15 minutes of inactivity:

$cookie_expires = time() + 900;

The second one has:

$cookie_expired = time() - 86400;

I?ve altered this value but apparently there is no change in behaviour. What is this thing really supposed to do? What values should I place? Do I need to keep the ?time()? thingie, or set the variable directly to some value?

What I want to accomplish is to have b2evo behave like phpBB and other packages: I want it to immediatly disconnect a user after it shuts his/her browser (or at least when it tries to come back after having exited the browser). Any help with this, please?

Sorry for the lengthy post. Thanks in advance for any help.

Txisko,
Open conf/_advanced.php and change $cookie_expires to read $cookie_expires = time() + 0;

When you close your browser, the user(s) will have to login again.

I tried this and the session expired not only when you closed the browser, but even when you switched tabs ... for instance, when switching from the Write tab to the Edit tab, the user must log in again (this is in IE)! Pain in the butt. Any other solutions?

What I want to accomplish is to have b2evo behave like phpBB and other packages: I want it to immediatly disconnect a user after it shuts his/her browser (or at least when it tries to come back after having exited the browser). Any help with this, please?

the problem with your premise is that that is NOT how phpBB behaves -- see the remember me checkbox?. Yes, there is an option in the admin area of phpBB to set a shorter expiration time for cookies, but very few admins mess with it, and in fact, unless you click the button, and log out, your automatically logged right back in when you return.

Second, youre not "always logged in" as someone stated earlier -- you simply relogin w/o having to authenticate.

Thats the entire purpose of persistent cookies.

---

If you mess with cookie settings, youre also best to rename them, so a new cookie can be sent .. never trust that the old cookie will be overwritten.