Recent Topics

Can I set an timed automatic logout

Started by on Jul 03, 2004 – Contents updated: Jul 03, 2004

Jul 03, 2004 02:09    

Hello.

I'm a newbie on b2evo and in php. I've read many posts on this forum, changing and adapting the b2evo to my taste. But still I have one question: is it possible to make a timed automatic logout?

I explain it:

On a PC I press the 'log in' link and enter into the admin section. Do some stuff. Then I quit the browser without pressing 'log out' link and do another stuff.

Next day I come back and find that I'm still logged in. This status, logged in, could be for days (I really been logged in in my localhost for two weeks, only with the first login) or more... 8| Or maybe, and easier, I've not be able to find the concrete script code to this feature :oops:

I think that it's a real security failure :-/ , specialy in places where the PCs are used by several users.

How (and where) can a set a time session to the cookie log in so on, for example 15 minutes of not browsing the b2evo-web, the system automaticaly logs out?

Thanks for your answers :)

Txisko.

Jul 03, 2004 02:44

Open up conf/_advanced.php and you can set the time it takes the cookie to expire.

Some may call this a security flaw, while other call it a feature. I don't use any computers that don't save my preferences behind a password (such as logging on to my college network or my XP machines at home), so I find the cookie lasting one year is pretty useful.

Jul 05, 2004 09:45

Graham wrote:

Open up conf/_advanced.php and you can set the time it takes the cookie to expire.

Thanks, it works :)
It's really easy, but a bit hidden :roll: It would be a good idea to include this in the backoffice, to allow newby users change it.

Graham wrote:

Some may call this a security flaw, while other call it a feature. I don't use any computers that don't save my preferences behind a password (such as logging on to my college network or my XP machines at home), so I find the cookie lasting one year is pretty useful.

It's a way of thinking... I prefer to set more security by default in the system and then, if the user believes it's ok and by his own responsability :>, let him change the cookie expiration time.
And I dont'n like to leave cookies anywhere I roam :p

Jul 05, 2004 22:00

A "Public PC - log me out when done" option on login would be cool.

Feb 15, 2005 16:39

Well, I have to agree with Txisko. And I think that there are serious security issues that probably most of us, newbies aren?t aware of? until we bump nastly into them.

I have been told by one user on my site that if she goes away without login off and then comes back a couple of hours later after restarting her browser and even the computer, she lands right in the middle of her old session. That is a security bomb! My site is a small private one for only a handful of friends. There are discussions there that are rather personal. We don?t want co-workers ore other walking into her computer and reading this private stuff.

Of course, of course? she should log off every time. But many people once in a while forget to do this and absent-mindedly turn off the browser with the session still active. Any other program I know of (such as phpBB) would immediately disconnect the user and prompt for the user/password when reconnecting.

I am also rather surprised that in order to control cookie behaviour I need to edit one of the config files ? I agree it ought to be an option configurable from the back-office (and maybe stored in the mysql database). And more importantly, I think that the default should be the strictest security settings, not the more relaxed ones!!!

Anyway, as a newbie I need some help to figure this one out. I went to conf/_advanced.php file and found two settings there. I set the first value to logout the user after 15 minutes of inactivity:

$cookie_expires = time() + 900;

The second one has:

$cookie_expired = time() - 86400;

I?ve altered this value but apparently there is no change in behaviour. What is this thing really supposed to do? What values should I place? Do I need to keep the ?time()? thingie, or set the variable directly to some value?

What I want to accomplish is to have b2evo behave like phpBB and other packages: I want it to immediatly disconnect a user after it shuts his/her browser (or at least when it tries to come back after having exited the browser). Any help with this, please?

Sorry for the lengthy post. Thanks in advance for any help.

Feb 23, 2005 23:59

Txisko,
Open conf/_advanced.php and change $cookie_expires to read $cookie_expires = time() + 0;

When you close your browser, the user(s) will have to login again.

Mar 17, 2005 07:44

I tried this and the session expired not only when you closed the browser, but even when you switched tabs ... for instance, when switching from the Write tab to the Edit tab, the user must log in again (this is in IE)! Pain in the butt. Any other solutions?

Mar 17, 2005 08:36

What I want to accomplish is to have b2evo behave like phpBB and other packages: I want it to immediatly disconnect a user after it shuts his/her browser (or at least when it tries to come back after having exited the browser). Any help with this, please?

the problem with your premise is that that is NOT how phpBB behaves -- see the remember me checkbox?. Yes, there is an option in the admin area of phpBB to set a shorter expiration time for cookies, but very few admins mess with it, and in fact, unless you click the button, and log out, your automatically logged right back in when you return.

Second, youre not "always logged in" as someone stated earlier -- you simply relogin w/o having to authenticate.

Thats the entire purpose of persistent cookies.

---

If you mess with cookie settings, youre also best to rename them, so a new cookie can be sent .. never trust that the old cookie will be overwritten.


Form is loading...

CMS software – This forum is powered by b2evolution CMS, a complete engine for your website.