DMXzone Security Provider PHP Support Product Page
Answered
Session timeout
Asked 27 Oct 2016 09:39:21
1
has this question
27 Oct 2016 09:39:21 David Woolley posted:
I thought I had login & logout security all working using the Server Connect Security Provider & the Security Enforcer, but I notice that if a user does not logout properly, the restricted page is still accessible a few days later without having to login. Browser was closed in the meantime of course.php.ini seems to have all the correct Session settings, so why is the session not being destroyed after 24 minutes?
session.gc_maxlifetime = 1440
session.gc_probability = 1
session.gc_divisor = 1000
session.cookie_lifetime = 0
Testing locally with XAMPP & DW CS6.
Replies
Replied 27 Oct 2016 09:52:09
27 Oct 2016 09:52:09 Teodor Kuduschiev replied:
Hello David,
What do you mean by - "if a user does not logout properly"? There is only one way to log out ... clicking the logout button, which runs the logout action.
If you have the remember me checkbox checked, when you close your browser and open it again, you are still logged in.
If the remember me checkbox is not checked, when you close the browser and open it again you are not logged in.
What do you mean by - "if a user does not logout properly"? There is only one way to log out ... clicking the logout button, which runs the logout action.
If you have the remember me checkbox checked, when you close your browser and open it again, you are still logged in.
If the remember me checkbox is not checked, when you close the browser and open it again you are not logged in.
Replied 27 Oct 2016 09:55:39
27 Oct 2016 09:55:39 Teodor Kuduschiev replied:
Of course you can set the cookie expiration period in the security provider options:
Replied 27 Oct 2016 10:28:14
27 Oct 2016 10:28:14 David Woolley replied:
Hi Teodor - ther'e always the possibility that a user will forget to logout, and close the browser.
Usually the session timeout would take care of this
I'm not using a 'Remember Me' checkbox field in my custom login form.
By the way, your latest Security Provider videos don't use a Remember Me checkbox in the custom login form.
So the cookie expiration time does not apply.
So it seems like I should use a 'Remember Me' field to alleviate this problem. Perhaps I should hide this field and set the value to 0 so users can't select this - in other words, always OFF.
Dave
Usually the session timeout would take care of this
I'm not using a 'Remember Me' checkbox field in my custom login form.
By the way, your latest Security Provider videos don't use a Remember Me checkbox in the custom login form.
So the cookie expiration time does not apply.
So it seems like I should use a 'Remember Me' field to alleviate this problem. Perhaps I should hide this field and set the value to 0 so users can't select this - in other words, always OFF.
Dave
Replied 27 Oct 2016 10:31:57
27 Oct 2016 10:31:57 Teodor Kuduschiev replied:
It doesn't matter if the videos show it or not ... you can choose whether to use it or not.
If the remember me is not set, the cookie is destroyed when the browser session ends.
If the remember me is not set, the cookie is destroyed when the browser session ends.
Replied 27 Oct 2016 12:13:27
27 Oct 2016 12:13:27 David Woolley replied:
I've added a 'remember_me' checkbox to my custom login form.
<input type="checkbox" name="remember_me" id="remember_me">
Server Connect:
Server action: dbUser
Added $_POST.remember_me to Globals
Security Provider > Advanced > Set Cookie Expiration to 7 days
Added $_POST.remember_me to Security Login Remember field using SC Data Bindings pickup
What else should I do? Something obvious I'm sure!
If I login with Remember Me checked, then logout, the login page does not retain my username & password.
<input type="checkbox" name="remember_me" id="remember_me">
Server Connect:
Server action: dbUser
Added $_POST.remember_me to Globals
Security Provider > Advanced > Set Cookie Expiration to 7 days
Added $_POST.remember_me to Security Login Remember field using SC Data Bindings pickup
What else should I do? Something obvious I'm sure!
If I login with Remember Me checked, then logout, the login page does not retain my username & password.
Replied 27 Oct 2016 12:27:58
27 Oct 2016 12:27:58 Teodor Kuduschiev replied:
I am not sure you understand how the remember me option works.
This is exactly how it is supposed to act.
Remember me option does not save your username and password in the form. This is controlled by your browser.
Remember me option keeps the login cookie, when you end the browser session, so you don't have to login again to access restricted pages. It keeps you logged in.
Of course when you log out the remember me function won't keep the cookie, as it is destroyed on log out ...
This is exactly how it is supposed to act.
Remember me option does not save your username and password in the form. This is controlled by your browser.
Remember me option keeps the login cookie, when you end the browser session, so you don't have to login again to access restricted pages. It keeps you logged in.
Of course when you log out the remember me function won't keep the cookie, as it is destroyed on log out ...
Replied 27 Oct 2016 13:43:02
27 Oct 2016 13:43:02 David Woolley replied:
Thanks Teodor - I was confused by the browser remembering passwords.
Now I understand (I think).
Is my setup above OK? Anything else to do?
Dave
Now I understand (I think).
Is my setup above OK? Anything else to do?
Dave
Replied 27 Oct 2016 14:01:58
27 Oct 2016 14:01:58 Teodor Kuduschiev replied:
It looks fine.
remember me is just a function which keeps your cookie. We don't do anything related saving forms data - this is all browser related.
remember me is just a function which keeps your cookie. We don't do anything related saving forms data - this is all browser related.