It seems to me that logged in users on the frontend of a website are not automatically logged out after they have been idle for more than the Session Lifetime set in Global Configuration > System.
In my case it is set to 15 minutes. When I am logged in at the website and do nothing for more than 15 minutes the session doesn't expire, even after 30 minutes I am still logged in and can do things, like change Profile settings.
I see this behaviour in the current 3.6.2 and in 3.6.3-dev.
Install a fresh 3.6.3-dev, set Session Lifetime to 15 minutes.
Create a useraccount and login at the frontend of the website.
Take a break and come back after more than 15 mintues (of whatever is set in Session Lifetime).
Check if you are still logged in, which should not be the case.
The session should have expired and the user should login again.
The session doesn't seem to expire and the user is still logged in.
Joomla 3.6.2 on WAMP (local test)
Joomla 3.6.3-dev on WAMP (local test)
Although the user on the frontend is still logged in the administrator in the backend is logged out after those 15 minutes. So for the backend it seems to work properly.
I hope I didn't miss an ordinary setting somewhere or overlooked a setting.
But can you do anything?
If you're on a page with a keepalive behavior that would cause it. IIRC
the logout layout on the login module triggers it to help prevent CSRF
token issues on the logout action.
On Tuesday, August 23, 2016, bertmert notifications@github.com wrote:
Confirmed:
- SuperUser > login Backend > set session time: 5 > create new user (Registered.
- Front-end: Login as registered user (no remember me) > After 20 min or so reload front-end > still logged in
[image: 23-08-_2016_15-48-12]
https://cloud.githubusercontent.com/assets/11038612/17894288/28b7f9d6-6949-11e6-9e91-7e126f0d833a.jpg
- Reload backend: SuperUser is logged out.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#11756 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAWfofVJfo2uagIpqPqyKdfftnbnTh6Vks5qivqXgaJpZM4JqyFl
.
@brianteeman
Yes.
SuperUser created a menu item with Access:Registered. Registered user could see it as logged in user that was not logged out after 5 min.
Registered user logged out > menu item is gone.
@mbabker
Sorry, I don't understand. So, that's an expected behavior?
When the page loads, view its source. Check if you see something similar to this in the <head>
section's scripts:
window.setInterval(function(){var r;try{r=window.XMLHttpRequest?new XMLHttpRequest():new ActiveXObject("Microsoft.XMLHTTP")}catch(e){}if(r){r.open("GET","/index.php?option=com_ajax&format=json",true);r.send(null)}},840000);
If you do, that means something has triggered a keepalive behavior. What it does is send AJAX request behind the scenes to basically refresh the session to keep it from expiring. So when you have that snippet on your page, it is expected behavior that the session doesn't expire because there's a script running in the background to keep it from expiring.
Closing this as expected behaviour
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-08-23 16:09:36 |
Closed_By | ⇒ | brianteeman |
Joomla 3.6.5 Version
I have the same Problem with joomla Session. It works fine between 1 and 5 Minutes. Above 5 Minutes it works only for backend.
I have setup session time to 6 minutes and followed the behavior. After 6 Minutes the backend is logt off.
After new Login in backend it shows me that the user is not logt in.(wich is great).
Then i go to the user frontend page and give a refresh page an he is still logt and the strange thing is that he can write an article he can do anything.
Wenn i setup session time under 6 minutes all works fine. But 5 minutes is little time for an Admin.
How are you determining the user is still logged in on the front end?
I just did a test (after setting lifetime to 5 as I am not patient) and in the backend it reports that the front end user is not logged in
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11756.