How to setup short session timeout?

Added by Radosław Koppel over 11 years ago

I am looking for these information for all day long. I found many threads with question about problems that users are logged out automatically and what to do to avoid these. I have the opposite problem.

Now, when I am logged in these is permanent. So I can close the page (not the browser) do something else all the day long and when I open redmine I am still logged in. I wish to have any automatic session expired functionality for the security reasons.

Is there any solution?

Replies (8)

RE: How to setup short session timeout? - Added by Felix Schäfer over 11 years ago

See Administration > Configuration > Authentication > Autologin and set it to never. For anything more, you'll likely need to make your browser erase cookies when you leave the page.

RE: How to setup short session timeout? - Added by Radosław Koppel over 11 years ago

I have set it to never all the time.

I can not accept the idea to setup the browser to erase cookies. I can do it myself, but what about all other users? The problem is also when somebody logged in not on his own computer and then forget to logout. I am afraid that the redmine project page will be still accessable forever1 from these computer.

I found also that if I change it to any other value, I have to change autologin row in the database manualy to turn it off again (is a bug or is it a feature).

1 I mean if somebody newer closes the browser and only hibernate machine when is not working on it.

RE: How to setup short session timeout? - Added by Felix Schäfer over 11 years ago

Have a look at redmine_dir/config/initializers/session_store.rb, you should be able to pop a :expires => 600 in the ActionController::Base.session hash, that will expire sessions after 600 seconds.

Anyway, if you so sensible data: educate your users to log out before they leave if they login from public terminals and stuff like that, or enforce some kind of VPN.

RE: How to setup short session timeout? - Added by Radosław Koppel over 11 years ago

If I understood it well, I should have session_store.rb file looks like this:

ActionController::Base.session = {
  :session_key => '...',
  :secret => '...',
  :expires => 600
}

It makes internal server error 500 ;/
What am I doing wrong?

Interesting idea about VPN. I will look how to configure it :)

RE: How to setup short session timeout? - Added by Felix Schäfer over 11 years ago

Mmh, it seems the cookie-based sessions behave a little differently, maybe try :expire_after => 10.minutes instead of expires?

RE: How to setup short session timeout? - Added by Radosław Koppel over 11 years ago

Felix Schäfer wrote:

Mmh, it seems the cookie-based sessions behave a little differently...

Is it hard to change cookie-based session to File based? For somebody that has newer programmed in ruby (but I know C, C++, PASCAL, ASM, PHP, SH scripts)? I have now about 10 users. I can write a script fired by crone that will delete old session files. So I'm not worried about session files growing too fast.

maybe try :expire_after => 10.minutes instead of expires?

I red that the main problem about setting cookies expire time is that if somebody is in different time-zone, it could never have possibility to login.

RE: How to setup short session timeout? - Added by Felix Schäfer over 11 years ago

Radosław Koppel wrote:

Felix Schäfer wrote:

Mmh, it seems the cookie-based sessions behave a little differently...

Is it hard to change cookie-based session to File based? For somebody that has newer programmed in ruby (but I know C, C++, PASCAL, ASM, PHP, SH scripts)? I have now about 10 users. I can write a script fired by crone that will delete old session files. So I'm not worried about session files growing too fast.

Not that hard, but that will incur at least 2 (needless) file accesses on each page call on an elsewhere pretty much cached through app. You'll have to google the specifics yourself though, but ActionController::Base.session should be a good place to start.

maybe try :expire_after => 10.minutes instead of expires?

I red that the main problem about setting cookies expire time is that if somebody is in different time-zone, it could never have possibility to login.

Who said that? Never heard of such problem, and rails should take care of that for you. Try it, you can always roll it back if it doesn't work.

RE: How to setup short session timeout? - Added by Radosław Koppel over 11 years ago

Felix Schäfer wrote:

Try it, you can always roll it back if it doesn't work.

It is working quite nice :)
I think that these solution is god enough for my needs now :)

Who said that? Never heard of such problem, and rails should take care of that for you.

I really do not know now. I was making really a lot of searches and just found the information that the time of cookie expiration is absolute time based on server clock. But I have tested it and it works without problems whatever my system time is the same that server time or it isn't.

Thank you four your help, smart and easy solution :)

(1-8/8)