[#7330] - Increase session lifetime to 24h
- Closed
- 7 May 2016
- Medium
- Build: staging
- # 7330
- Diff
- smehrbrodt:patch-3
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
User tests: Successful: Unsuccessful:
Description
The default session timeout is way too low (15min). This patch increases the default to 24h (24*60=1440).
For comparison, these are the default values of other CMS:
Wordpress: 48 hours
Typo3: 1 hour
Drupal: ~23days
How to test:
Go to "Global Configuration" -> "System" and check that "Session lifetime" is set to "1440" on a new installation.
Screenshot:
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Status | Pending | ⇒ | Needs Review |
| Category | ⇒ | Administration |
Setting to Needs Review based on Brians comment.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7330.
I agree with Brian. Having the session stay open for 24 hrs doesn't sound like a good idea. I don't know why other CMS have it that high, maybe they have other security mechanism included.
How does the "Remember me" option affect that value?
it is unrelated
what does it do then?
Remember me creates a persistent cookie which logs you in automatically with the next visit. That may be a day after or whatever. By default the cookie will stay 60 days.
It will however not save the session. A new session will be created.
Is there a reason we don't have the "Remember me" checkbox on the administration side? I understand that in some cases you don't want a session to persist for a long time, but still a lot of people work on their own computers when they work on a website, and we should give them an opportunity to keep the session longer than 15 min (if the administrator doesn't change the default session lifetime).
Is there a reason we don't have the "Remember me" checkbox on the administration side?
Yes, remember-me is designed to work only in frontend. Having auto-login in the backend is not really a good idea.
I understand that in some cases you don't want a session to persist for a long time
It's not about sessions. The session is reset anyway, regardless of remember-me. Remember performs a regular login action.
but still a lot of people work on their own computers when they work on a website, and we should give them an opportunity to keep the session longer than 15 min
If you are editing an article or in most forms, the session will be kept alive and will not time out. There is some little JavaScript code which does ensure that.
Please remember that the session life refers to inactivity only
On 4 Jul 2015 7:28 pm, "Samuel Mehrbrodt" notifications@github.com wrote:
Is there a reason we don't have the "Remember me" checkbox on the
administration side? I understand that in some cases you don't want a
session to persist for a long time, but still a lot of people work on their
own computers when they work on a website, and we should give them an
opportunity to keep the session longer than 15 min (if the administrator
doesn't change the default session lifetime).—
Reply to this email directly or view it on GitHub
#7330 (comment).
I understand that 24 hours can be too long of a session, however 15 minutes is too short of a session. What about something like 60 minutes? Even 30 minutes would be a nice improvement. It is not at all unreasonable to be inactive for 15 minutes which is very common.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7330.
@JoshuaLewis but Joomla allow to change this time in Global Configuration in each site,
I do not see the problem
My point is about using a better default. Many folks who freshly install Joomla will not change this and will have their session end. 30 minutes seems appropriate.
What is the issue you try to solve? As said inactivty while within a form doesn't time out the session, because we have a script which pings the server every now and then to keep the session alive. So data loss shouldn't happen.
@JoshuaLewis I still see no reason to change the time, it like that for years, and works well 
What really would be cool, when someone make "Remember me" for backend.
I do not agree with @Bakual that "Having auto-login in the backend is not really a good idea." ...
If compare "User use 10 hour session lifetime" (that I see often ) and "User use Remember me" - second is more safe, as User can control it more simple (just checkbox) , when go online using public PC ....
If compare "User use 10 hour session lifetime" (that I see often
Keep in mind that when you close all your browser windows, the session cookie is destroyed even if the session time isn't yet run out. So if you close the browser windows, you are sure that nobody will be automatically logged into the backend. Except of course if you're hacked and the session cookie is stolen. But there it doesn't really matter if it is 15 minutes or 10 hours. It's ample time for the hacker anyway.
The time applies to the server side, where the session of an inactive browser will get trashed after the time runs out.
Keep in mind that when you close all your browser windows, the session cookie is destroyed even if the session time isn't yet run out
true, at least in theory should be like that 
but in real life not always, at least for Chrome,
I just made test for this, login in one of Joomla site with lifetime 10 min, and close the browser, and after open I see that I am still logged in
Even more reason NOT to increase the default values
On 7 Jul 2015 20:51, "Fedir Zinchuk" notifications@github.com wrote:
Keep in mind that when you close all your browser windows, the session
cookie is destroyed even if the session time isn't yet run outtrue, at least in theory should be like that [image:
but in real life not always, at least for Chrome,
I just made test for this, login in one of Joomla site with lifetime 10
min, and close the browser, and after open I see that I am still logged in—
Reply to this email directly or view it on GitHub
#7330 (comment).
but in real life not always, at least for Chrome,
Make sure you also close the Chrome Desktop Notifications. It's basically Chrome running in background and thus you didn't close all Chrome windows :)
For me the sesssion gets closed as expected if I close all Chrome windows including the desktop notification task (in the task tray).
Otherwise it would be a bug in Chrome. The cookie is set to a lifetime which only applies to the current browser session. Closing all browser windows has to delete that cookie.
A regular user can not be expected to know that and that is NOT the only
issue with chrome and cookies not being cleared on browser close.
http://stackoverflow.com/questions/10617954/chrome-doesnt-delete-session-cookies
On 8 July 2015 at 10:35, Thomas Hunziker notifications@github.com wrote:
For me the sesssion gets closed as expected if I close all Chrome windows
including the desktop notification task (in the task tray).
Otherwise it would be a bug in Chrome. The cookie is set to a lifetime
which only applies to the current browser session. Closing all browser
windows has to delete that cookie.—
Reply to this email directly or view it on GitHub
#7330 (comment).
Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/
Interesting indeed.
I can see no clear reason to change the default at this time, so I'm closing this issue. Thanks for raising it for discussion.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7330.
| Status | Needs Review | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-05-07 10:33:48 |
| Closed_By | ⇒ | zero-24 |
Set to "closed" on behalf of @zero-24 by The JTracker Application at issues.joomla.org/joomla-cms/7330
Closing
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7330.
This is a really bad idea. The entire concept of a session timeout is to
log you out AFTER a period of inactivity. By increasing the value anyone
with access to your computer has access to your sites.
As it is a user configurable setting it is something that a site admin can
chose to do but I would not recommend it at all.
Example - you login to your site from a public computer and for next 24
hours anyone has access to your site
On 3 July 2015 at 16:18, Samuel Mehrbrodt notifications@github.com wrote:
Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/