If you've got the login module in use on the site, this is expected behavior. See #11756 for more info.

So the solution is to disable the login form on all pages and just assign to home page? I read that thread and saw it was closed... didn't see resolution, my apologies. Thanksfor your time

That doesn't sound like a good solution to me. In 3.5.1 this was not necessary at all.

@xristoph: Have you noticed that - while the user in the frontend is still logged in (although the session has expired) - the particular user is no longer visible in the backend as a logged in user? So he's logged in at frontend, but not visible in backend. Can you confirm this?

That's what I see happening in 3.6.2 and I don't think this is expected behaviour (but I could be wrong here).

I have set my project back to 3.5.1, these strange problems have disappeared now. Not sure what is going wrong.

the keepalive behaviour is being active always in frontend so the session will always persist

Do this, go to frontend, view HTML source (Ctrl + U) and search for "com_ajax" (Ctrl + F) you will notice that on every frontend pages there is a AJAX call every x seconds to session keepalive, this is always renewing the session.

Not sure this is a bug. But in the backend the keepalive only exists when you are editing an item so you don't loss the session before saving.

@mbabker can you confirm this is supposed to be like this?

sorry already seem you response. this is expected because of the login form module.

so i think this can be closed

TBH, I'm not entirely sure we need to have CSRF protection in front of the logout task, and if you remove that you remove the need for keepalive at least when the login module is displaying the logout stuff.

What would be the security implication of not having the CSRF protection in com_users frontend logout task (https://github.com/joomla/joomla-cms/blob/staging/components/com_users/controllers/user.php#L145)?

Anyway we could at least only render the keepalive script when the user is logged, right?

You need the keepalive for guests too. Otherwise if someone sits on the page too long then tries to log in they get the invalid token message. Right now when you display the login module you have to accept that keepalive will always be there.

As for security stuff, Symfony's default security config doesn't use CSRF in front of the logout task. If it's good enough for them...

Based on a quick google of other apps I think we need to add csrf to the logout links - however anal that is... :-(
https://www.drupal.org/node/144538
https://code.djangoproject.com/ticket/15619
https://blog.codinghorror.com/cross-site-request-forgeries-and-you/

As stated above this is the expected behaviour. I am closing this